Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
PROBLEM SUMMARY
Using the --replace-instance flag when enrolling a certificate by providing the CSR file does not work and instead returns the "ObjectAlreadyExists" error message which it is supposed to address. When using VCert or Service generated private keys, everything works as expected.
Looking at the VCert outputs below (comments section), it appears to be a problem when retrieving the GUID for the newly created certificate object.
When Venafi generates the private key, the GUID retrieval targets the correct object and Device/App objects get recreated as expected.
When the user provides a CSR, the GUID retrieval targets the provided ZONE instead of the certificate object and the process fails.
STEPS TO REPRODUCE
Create CSR locally.
Use VCert to enroll a cert using the CSR. This will succeed but the output will be incorrect as noted above.
(e.g. vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --key-password "Password123!")
Use VCert to enroll again while specifying the --replace-instance flag. This will fail, likely due to the GUID issue described above.
(e.g. vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --replace-instance --key-password "Password123!")
EXPECTED RESULTS
Subsequent renewal operations should replace the existing Device/App objects. I would expect the behavior to be consistent when using any form of key generation.
ACTUAL RESULTS
Subsequent renewal operations fail with "ObjectAlreadyExists."
PROBLEM SUMMARY Using the
--replace-instance
flag when enrolling a certificate by providing the CSR file does not work and instead returns the "ObjectAlreadyExists" error message which it is supposed to address. When using VCert or Service generated private keys, everything works as expected.Looking at the VCert outputs below (comments section), it appears to be a problem when retrieving the GUID for the newly created certificate object.
STEPS TO REPRODUCE
vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --key-password "Password123!"
)--replace-instance
flag. This will fail, likely due to the GUID issue described above. (e.g.vcert enroll -u $tlspd_url -t $tlspd_token -z "Venafi Internal\Testing\VCert" --csr file:testB.csr --instance TestDevice:TestApp --replace-instance --key-password "Password123!"
)EXPECTED RESULTS Subsequent renewal operations should replace the existing Device/App objects. I would expect the behavior to be consistent when using any form of key generation.
ACTUAL RESULTS Subsequent renewal operations fail with "ObjectAlreadyExists."
ENVIRONMENT DETAILS TLS Protect Datacenter 23.1.3 VCert v5.1.1
COMMENTS/WORKAROUNDS
Successful subsequent renewal when Venafi generates private key and CSR:
Failed subsequent renewal when user provides CSR (notice line 4 is missing the cert object after the initial zone):