BTech
	BTech Alerts & Notifications - Check this page for the latest information on emergencies and system outages. All times are Pacific.
	TLS/SSL Certificates Overview, 1000060634. Intermediate Certificate Renewal Process. DigiCert Certificate Process.
Certificate Information

Overview

• The following will guide you through updating the Intermediate Certificate Renewal.
• This process may also be referred to as the Certificate Renewal List (CRL).
• This certificate cannot be viewed on DigiCert.com or any other portal since it is generated on the Swinerton network.
• This process is tied to the notification that is sent by the License Renewal Reminders from Freshservice.
• These steps can be performed during business hours without any service interruptions.

Important Notes

 This process needs to be performed every 6 months.

Failure to update the certificate will result in authentication issues with any system that utilizes private, SI.ADS, PKI/Certificates.

All workstation client certificates will fail to authenticate if the CRL hasn’t been updated before the certificate expiration date.

Impacted systems include LDAP, Domain Controllers, and some internal websites.

 To view the expiration date, check the properties on the ‘Swinerton Root CA’ certificate and look for the ‘Next update’ date.

The expiration time on the certificate is Universal Time, not Pacific Time.

 If the certificate isn’t updated before the expiration time listed in Step 7, there will be authentication failures that will appear early when compared to the current Pacific time.

Services and Server Names Required

• Azure Portal - Virtual Machines
• CyberArk - Server Password  
• Freshservice - Contracts
• ITWEB01 server
• SIROOTCA01 server
• SISUBCA01 server

Intermediate Certificate Renewal Process

1. Use the Azure Portal to power up the server SIROOTCA01 (10.60.4.37).
   • A Change Control entry is required for this certificate update:
     • https://support.swinerton.com/itil/changes/new
     • The server is powered off for security reasons and will be powered off after updating the Intermediate Certificate.
2. The SIROOTCA01 server isn’t in the domain for security reasons, so a local admin account will need to be used to log onto the server.
   • The password is stored in CyberArk and can be found using the server's name.
3. Log into SIROOTCA01 using the IP address (10.60.4.37) and the local administrator account from CyberArk.
4. To check the current CRL expiry, launch certsrv
   1. Click Start
   2. Search for "Run"
   3. Click Run
   4. Input certsrv.msc /e
   5. Click OK
      
5. Open the Certificate Revocation List and view the most recent entries.
6. The next expiration will show under the “CRL Next Update” column.
   
7. The next step will generate a new certificate. 
   • Open a command prompt and run the following command:

     certutil -CRL

     Generic

     
     

     
     
8. Since the SIROOTCA01 server isn’t on the domain, it’s easier to browse to the two other servers to perform the upcoming steps. 
   • The next two steps will prompt you to enter your SI Admin account.

9. Open File Explorer and browse to: 

   \\itweb01.si.ads\crldata$

   Generic
   • Set a Map a network Drive.
     
     

10. Open another File Explorer and browse to: 

    \\sisubca01.si.ads\c$

    Generic

    • Set a Map a network Drive.
      
      

11. The image below shows Steps 13 through 15.

    
    
    

12. Backup the existing certs on ITWEB01 by copying them into the Backup Certs folder.

    copy "\\itweb01.si.ads\crldata$\Swinerton Root CA*.crl" "\\itweb01.si.ads\crldata$\Backup Certs" /Y

    Generic

    
    

13. Copy the new certificate files that were generated to the ITWEB01 server using the following command:

    copy %windir%\system32\certsrv\certenroll\*.crl \\itweb01.si.ads\crldata$ /Y

    Generic
    
    
14. Backup the existing certs on SISUBCA01 by copying them into the Backup Certs folder.

    copy "\\sisubca01.si.ads\c$\Swinerton Root CA*.crl" "\\sisubca01.si.ads\c$\Backup Certs" /Y

    Generic
    
    
15. Copy the new certificate files that were generated to the SISUBCA01 server using the following command:

    copy %windir%\system32\certsrv\certenroll\*.crl \\sisubca01.si.ads\c$ /Y

    Generic
    
    
16. Log into SISUBCA01 using your admin account to publish the Root CRL to LDAP.
    • Open a command prompt and run the following commands:

      certutil -dspublish -f “c:\Swinerton Root CA.crl”

      Generic

      
      

      certutil -dspublish -f “c:\Swinerton Root CA(1).crl”

      Generic

      
      

      
      
      
17. Verify that the certificate has been updated by viewing the new expiration date by using Step 5 above.
18. Update the Contract Renewal in Freshservice using the next certificate expiration date:
    https://support.swinerton.com/cmdb/contracts/113
    
    
19. Subtract two days from the actual expiration date to allow more time for the next certificate expiration.
    •  Example May 5th should change to May 3rd on the Contract Expiration. 
       Important Note: Remember to ‘Submit for Approval’ for the changes to take effect. 
      
      
      
      
20. Add a calendar reminder in Outlook for ‘Intermediate Certificate Renewal Process’ for at least two people for the next certificate update. 
    • The second person is just in case the first person is out of the office.
21. Switch back to the SIROOTCA01 server and shut down the server using the Windows - Shut Down option. 
    • The server is kept powered off for security reasons.
22. After the server OS has been shut down, use the Azure Portal to select the SIROOTCA01 server and select ‘Stop’ to deallocate the server, which will reduce the monthly cost in Azure. 
    • The status of the server should be shown as ‘Stopped (deallocated)’.

      
      
      

23. Log out of the two servers: 
    • ITWEB01 
    • SISUBCA01

The CRL update process is now complete.