BTech Support

866-647-5200
Login

Intermediate Certificate Renewal Process

Modified on: Mon, Jan 6 2025 1:09 PM
Swinerton Logo

BTech

BTech Alerts & Notifications - Check this page for the latest information on emergencies and system outages. All times are Pacific.
Shield and Lock
  • TLS/SSL Certificates Overview, 1000060634.
    • Intermediate Certificate Renewal Process.
    • DigiCert Certificate Process.
Certificate Information



Overview

  • The following will guide you through updating the Intermediate Certificate Renewal.
  • This process may also be referred to as the Certificate Renewal List (CRL).
  • This certificate cannot be viewed on DigiCert.com or any other portal since it is generated on the Swinerton network.
  • This process is tied to the notification that is sent by the License Renewal Reminders from Freshservice.
  • These steps can be performed during business hours without any service interruptions.


Important Notes

Flashing Red Dot This process needs to be performed every 6 months.

Flashing Red Dot Failure to update the certificate will result in authentication issues with any system that utilizes private, SI.ADS, PKI/Certificates.

Flashing Red Dot All workstation client certificates will fail to authenticate if the CRL hasn’t been updated before the certificate expiration date.

Flashing Orange Dot Impacted systems include LDAP, Domain Controllers, and some internal websites.

Flashing Orange Dot To view the expiration date, check the properties on the ‘Swinerton Root CA’ certificate and look for the ‘Next update’ date.

Flashing Orange Dot The expiration time on the certificate is Universal Time, not Pacific Time.

Flashing Orange Dot If the certificate isn’t updated before the expiration time listed in Step 7, there will be authentication failures that will appear early when compared to the current Pacific time.


Services and Server Names Required

  • Azure Portal - Virtual Machines
  • CyberArk - Server Password  
  • Freshservice - Contracts
  • ITWEB01 server
  • SIROOTCA01 server
  • SISUBCA01 server


Intermediate Certificate Renewal Process

  1. Use the Azure Portal to power up the server SIROOTCA01 (10.60.4.37).
  2. The SIROOTCA01 server isn’t in the domain for security reasons, so a local admin account will need to be used to log onto the server.
    • The password is stored in CyberArk and can be found using the server's name.
  3. Log into SIROOTCA01 using the IP address (10.60.4.37) and the local administrator account from CyberArk.
  4. To check the current CRL expiry, launch certsrv
    1. Click Start
    2. Search for "Run"
    3. Click Run
    4. Input certsrv.msc /e
    5. Click OK
      Run Prompt
  5. Open the Certificate Revocation List and view the most recent entries.
  6. The next expiration will show under the “CRL Next Update” column.
    Certsrv CRL Next Update
  7. The next step will generate a new certificate. 
    • Open a command prompt and run the following command:
      certutil -CRL
      Generic

      Certutil - crl successfully completed


  8. Since the SIROOTCA01 server isn’t on the domain, it’s easier to browse to the two other servers to perform the upcoming steps. 
    • The next two steps will prompt you to enter your SI Admin account.
  9. Open File Explorer and browse to: 

    \\itweb01.si.ads\crldata$
    Generic
    • Set a Map a network Drive.

  10. Open another File Explorer and browse to: 

    \\sisubca01.si.ads\c$
    Generic
    • Set a Map a network Drive.

  11. The image below shows Steps 13 through 15.

    Command Prompt

  12. Backup the existing certs on ITWEB01 by copying them into the Backup Certs folder.

    copy "\\itweb01.si.ads\crldata$\Swinerton Root CA*.crl" "\\itweb01.si.ads\crldata$\Backup Certs" /Y
    Generic


  13. Copy the new certificate files that were generated to the ITWEB01 server using the following command:
    copy %windir%\system32\certsrv\certenroll\*.crl \\itweb01.si.ads\crldata$ /Y
    Generic

  14. Backup the existing certs on SISUBCA01 by copying them into the Backup Certs folder.
    copy "\\sisubca01.si.ads\c$\Swinerton Root CA*.crl" "\\sisubca01.si.ads\c$\Backup Certs" /Y
    Generic

  15. Copy the new certificate files that were generated to the SISUBCA01 server using the following command:
    copy %windir%\system32\certsrv\certenroll\*.crl \\sisubca01.si.ads\c$ /Y
    Generic

  16. Log into SISUBCA01 using your admin account to publish the Root CRL to LDAP.
    • Open a command prompt and run the following commands:
      certutil -dspublish -f “c:\Swinerton Root CA.crl”
      Generic


      certutil -dspublish -f “c:\Swinerton Root CA(1).crl”
      Generic


      Command Prompt published the Root CRL to LDAP

  17. Verify that the certificate has been updated by viewing the new expiration date by using Step 5 above.
  18. Update the Contract Renewal in Freshservice using the next certificate expiration date:
    https://support.swinerton.com/cmdb/contracts/113

  19. Subtract two days from the actual expiration date to allow more time for the next certificate expiration.
    •  Example May 5th should change to May 3rd on the Contract Expiration. 
      Flashing Red Dot Important Note: Remember to ‘Submit for Approval’ for the changes to take effect. 
      Contract Renewal in Freshservice Edit
      Contract Renewal in Freshservice End Date
      Contract Renewal in Freshservice Update Button
      Contract Renewal in Freshservice submit for approval
  20. Add a calendar reminder in Outlook for ‘Intermediate Certificate Renewal Process’ for at least two people for the next certificate update. 
    • The second person is just in case the first person is out of the office.
  21. Switch back to the SIROOTCA01 server and shut down the server using the Windows - Shut Down option. 
    • The server is kept powered off for security reasons.
  22. After the server OS has been shut down, use the Azure Portal to select the SIROOTCA01 server and select ‘Stop’ to deallocate the server, which will reduce the monthly cost in Azure. 
    • The status of the server should be shown as ‘Stopped (deallocated)’.

      Microsoft Azure Status

  23. Log out of the two servers: 
    • ITWEB01 
    • SISUBCA01


Flashing Green DotFlashing Green DotFlashing Green Dot The CRL update process is now complete. Flashing Green DotFlashing Green DotFlashing Green Dot


Was this answer helpful?