Renew certificates that were previously generated using user supplied CSR

[B-Meow]

[B-Meow]

Seeking advice on how to do a bulk renew certificates that were previously generated using user supplied CSR with venafiPS.

Invoke-VdcCertificateAction -Path $Renew_cert.Path -Renew -AdditionalParameter @{'Format'='Base64 (PKCS #8)';'IncludePrivateKey'='true';'Password'='xxxxxxxxxxx'}

The error message received {"Error":"Certificate renew mismatch. Certificate \"\\", which originated from a user provided CSR, requires a PKSC#10","Success":false}

Using GUI, we need to change the CSR generation option from "I will generate my CSR" to "Generate a CSR for me".

We would like to do the same using venafiPS to perform certificates renew, retaining the renewal details of the existing certificates and have venafi generated a new private key.

Another option we are exploring is importing private key from devices to the existing certificates, but unsure which venafiPS function that we should use.

[gdbarron]

Hi @B-Meow. To switch from user supplied to system generated CSRs, you can use Set-VdcAttribute -Attribute @{'Manual CSR' = $null} and either provide the path or pipe in a list of objects. For example, to find and switch all user provided CSR certs Find-VdcObject -Attribute 'Manual CSR' -Pattern '1' | Set-VdcAttribute -Attribute @{'Manual CSR' = $null}.

To import just the private key, use Import-VdcCertificate and provide the existing certificate data along with the new private key. I haven't tried this myself, but according to the docs this is the way to do it.

[B-Meow]

Hi @gdbarron Really appreciated your help on this question. After running Set-VdcAttribute -Attribute @{'Manual CSR' = $null}, I am able invoke the renew action and output shows Success = true. However, when I query the certificate with Get-VdcCertificate, it shows there's an error.

ProcessingDetails : @{InError=True; Status=Certificate processing encountered an unexpected error. Error: Index was outside the bounds of the array.}

In the Gui, i can fix it by select "action" - "renew details" and select "edit". All the fields with * have correct information populated from the existing certifcate and CSR generation is set correct to "Generate a CSR for me". I don't have to change anything, just need to select "Save Renewal Settings". After that I can select "Retry Renewal" to renew the certificate.

Not sure what else do I need. More permission or additional attribute(s) The scope/access that the credential has is @{'certificate'='manage,revoke';'configuration'='manage'}

[gdbarron]

@B-Meow it might be best to work with support to ensure there isn't something larger at play here given the Index error. If there's anything you need to automate after speaking with them, feel free to ask here or on our community site.