Intermediate Certificate Renewal Process

Swinerton Logo

BTech

BTech Alerts & Notifications - Check this page for the latest information on emergencies and system outages. All times are Pacific. Shield and Lock

TLS/SSL Certificates Overview, 1000060634.
- Intermediate Certificate Renewal Process.
- DigiCert Certificate Process.

Certificate Information

Overview

The following will guide you through updating the Intermediate Certificate Renewal.
This process may also be referred to as the Certificate Renewal List (CRL).
This certificate cannot be viewed on DigiCert.com or any other portal since it is generated on the Swinerton network.
This process is tied to the notification that is sent by the License Renewal Reminders from Freshservice.
These steps can be performed during business hours without any service interruptions.

Important Notes

This process needs to be performed every 6 months.

Failure to update the certificate will result in authentication issues with any system that utilizes private, SI.ADS, PKI/Certificates.

All workstation client certificates will fail to authenticate if the CRL hasn’t been updated before the certificate expiration date.

Flashing Orange Dot Impacted systems include LDAP, Domain Controllers, and some internal websites.

Flashing Orange Dot To view the expiration date, check the properties on the ‘Swinerton Root CA’ certificate and look for the ‘Next update’ date.

Flashing Orange Dot The expiration time on the certificate is Universal Time, not Pacific Time.

Flashing Orange Dot If the certificate isn’t updated before the expiration time listed in Step 7, there will be authentication failures that will appear early when compared to the current Pacific time.

Services and Server Names Required

Azure Portal - Virtual Machines
CyberArk - Server Password
Freshservice - Contracts
ITWEB01 server
SIROOTCA01 server
SISUBCA01 server

Intermediate Certificate Renewal Process

Use the Azure Portal to power up the server SIROOTCA01 (10.60.4.37).
- A Change Control entry is required for this certificate update:
  - https://support.swinerton.com/itil/changes/new
  - The server is powered off for security reasons and will be powered off after updating the Intermediate Certificate.
The SIROOTCA01 server isn’t in the domain for security reasons, so a local admin account will need to be used to log onto the server.
- The password is stored in CyberArk and can be found using the server's name.
Log into SIROOTCA01 using the IP address (10.60.4.37) and the local administrator account from CyberArk.
To check the current CRL expiry, launch certsrv
1. Click Start
2. Search for "Run"
3. Click Run
4. Input certsrv.msc /e
5. Click OK
Open the Certificate Revocation List and view the most recent entries.
The next expiration will show under the “CRL Next Update” column.
The next step will generate a new certificate.
- Open a command prompt and run the following command:
```
certutil -CRL
```
Since the SIROOTCA01 server isn’t on the domain, it’s easier to browse to the two other servers to perform the upcoming steps.
- The next two steps will prompt you to enter your SI Admin account.
Open File Explorer and browse to:
```
\\itweb01.si.ads\crldata$
```
- Set a Map a network Drive.
Open another File Explorer and browse to:
```
\\sisubca01.si.ads\c$
```
- Set a Map a network Drive.
The image below shows Steps 13 through 15.

Backup the existing certs on ITWEB01 by copying them into the Backup Certs folder.

copy "\\itweb01.si.ads\crldata$\Swinerton Root CA*.crl" "\\itweb01.si.ads\crldata$\Backup Certs" /Y

Copy the new certificate files that were generated to the ITWEB01 server using the following command:
```
copy %windir%\system32\certsrv\certenroll\*.crl \\itweb01.si.ads\crldata$ /Y
```

Backup the existing certs on SISUBCA01 by copying them into the Backup Certs folder.

copy "\\sisubca01.si.ads\c$\Swinerton Root CA*.crl" "\\sisubca01.si.ads\c$\Backup Certs" /Y

Copy the new certificate files that were generated to the SISUBCA01 server using the following command:
```
copy %windir%\system32\certsrv\certenroll\*.crl \\sisubca01.si.ads\c$ /Y
```
Log into SISUBCA01 using your admin account to publish the Root CRL to LDAP.
- Open a command prompt and run the following commands:
```
certutil -dspublish -f “c:\Swinerton Root CA.crl”
```
```
certutil -dspublish -f “c:\Swinerton Root CA(1).crl”
```
Verify that the certificate has been updated by viewing the new expiration date by using Step 5 above.
Update the Contract Renewal in Freshservice using the next certificate expiration date:
https://support.swinerton.com/cmdb/contracts/113
Subtract two days from the actual expiration date to allow more time for the next certificate expiration.
- Example May 5th should change to May 3rd on the Contract Expiration.
  Important Note: Remember to ‘Submit for Approval’ for the changes to take effect.
Add a calendar reminder in Outlook for ‘Intermediate Certificate Renewal Process’ for at least two people for the next certificate update.
- The second person is just in case the first person is out of the office.
Switch back to the SIROOTCA01 server and shut down the server using the Windows - Shut Down option.
- The server is kept powered off for security reasons.
After the server OS has been shut down, use the Azure Portal to select the SIROOTCA01 server and select ‘Stop’ to deallocate the server, which will reduce the monthly cost in Azure.
- The status of the server should be shown as ‘Stopped (deallocated)’.
Log out of the two servers:
- ITWEB01
- SISUBCA01

The CRL update process is now complete.