Venafi Onboarding
Jun 02, 2025
Scott Birl
Information Technology Services
Table of Contents
About This Documentation
Document scope
Contact Information
Support
If you are a new account
Status updates
Venafi Overview
Regarding accounts
User Roles
Role Table
The Venafi website
Create
Dashboard
Applications
Inventory
Certificate Requests
(viewing existing requests)
Certificates
(including
downloading
)
Assign to Application
(or if certificate renewal is grayed out)
Renew
Validate Now
Retire
Tag
Download
(IIS versus Apache versus Java keystores)
TLS Server Endpoints
(what certificate is used where)
Trusted CA Certificates
Installations
Kubernetes Clusters
(not in use)
Policies
Approval Rules
(for System Administrators only)
Certificate Lifecycle
(for System Administrators only)
Issuing Templates
Integrations
(for System Administrators only)
Certificate Authorities
Notification Providers
Configurations
(for System Administrators only)
Network Discovery
Notification Center
Tags
VSatellites
Settings
Event Log
(Auditing)
Licensing
Service Accounts
Services
(for System Administrators only)
Single Sign-On
(for System Administrators only)
Teams
Users
Create
Certificate Request
(create a new request, not viewing existing requests)
Account Settings
Preferences
(email notifications)
Logout
Regarding our Certificate Authority
GlobalSign
Processing turnaround time
Updating External Sources
Chargeback Rates
Troubleshooting
Troubleshooting emails
Venafi as a Service Api Key Expiration
.
Reminder: Your GlobalSign certificate expires
.
I was not notified that my certifcate was about to expire
!
Troubleshooting Certificate
Requests
Request Error: 404 when requesting a certificate
Request Error: Parameter format check error
Request Error: Request failed due to the following policy violations:
Unauthorized Request
.
Request Error: Request failed due to the following policy violations:
Distinguished name components
.
Request Error: Request failed due to the following policy violations:
dNSName is invalid
.
Request Error: Request failed due to the following policy violations:
Only owners of this application can request a certificate
.
Request Error: GlobalSign threw an Internal system error
Request Error: Vendor's CSR is not accepted.
Troubleshooting Certificate
Renewals
Renewal Problem: The renew option "No, just renew it" is greyed out.
Troubleshooting Certificates
Issued
Issuing Problem: I cannot choose the Keystore option when downloading the certificate.
Issuing Problem: Help! I lost/forgot my private key!
Issuing Problem: The vendor’s private key does not match the certificate that was issued.
Issuing Problem: I cannot find my certificate in Venafi.
Issuing Problem: I need to add/remove additional hostnames to my certifcate.
Issuing Problem: Unable to download certifcate because: Error: Dispatch has not been set.
Flowchart
-- just a pretty visual.
About This Documentation
The latest version of this document can be found here:
https://sites.temple.edu/Venafi_onboarding.html
and is updated periodically.
This document should be accessible by anyone.
Feel free to offer up suggestions, comments, etc. about this documentation if it’s confusing, seems out of order, missing troubleshooting information, or for any reason.
Document scope
The scope of this document is to cover how to order and organize certificates in Venafi. The prerequisite is that you already know how your web application and/or web server works to generate the required Certificate Signing Request (CSR).
Questions regarding the processes leading up to placing an order (e.g.: generating the CSR) or how to install the certificate once it is available are outside the scope of this document.
Contact Information
PLEASE do NOT contact any one individual person on the Certificates Team
, as this can hinder the response time if that individual is out of office.
The email address for the Certificates Team is:
certificates@temple.edu
. Please follow-up any email with a
Remedy/Helix request
. We also have a channel in Slack,
#help-certificates
for a more immediate response during normal business hours.
Support
Assistance can still be provided even if you have vendor support for your web application or web server. If you have no support from a vendor, please do not hesitate to
contact us
and we’ll do our best to assist.
If you are a new account
If you are new to Venafi and this is your first time logging in,
please include what department you are with when you contact us
so that you can be assigned to the appropriate group within Venafi.
There are approximately 2000 certificates for the University, I doubt you want to see them all.
Status updates
There are three ways to obtain status updates about events happening in both Venafi and
our Certificate Authority, GlobalSign
:
https://status.venafi.cloud/
and
https://status.globalsign.com/
. Notifications from these official websites should be replicated to:
#help-certificates
in Slack and
Microsoft Teams
Venafi Overview
Venafi is a company that allow us to manage certificates from multiple Certificate Authorities in one location. Our portal to Venafi is located at:
https://temple.venafi.cloud/
and uses Single Sign On (SSO) with your
regular
AccessNet account. Upon logging in for the very first time you’ll see the following box from Microsoft Azure. Please accept the request. It is only asked once.
Regarding accounts
Currently, accounts cannot be deleted, at least, by anyone from the University. They can be disabled and if they are, we will change the
User Role
back to Guest.
User Roles
These are pre-defined roles that Venafi has available to us:
Guest
All new users are given this role by default.
Guests have limited access to specific content on the website: Dashboard, Inventory, Applications and Settings.
Guests cannot
request
certificates, however they can download certificates.
Resource Owner
A Resource Owner has a few more permissions than a Guest does, particularly the ability to request certificates.
Most end-users will be assigned this Role.
Platform Administrator
This role is similar to the Resource Owner but applies to Venafi Kubernetes clusters, which we do not run.
PKI Administrator
Users in this role can perform a lot more tasks, including configuring Applications and Templates or updating Certificate Authorities.
These users cannot manage other Users’ Roles, or disable accounts.
This Role is restricted to select ITS personnel.
System Administrator
These users have all the privileges that Venafi grants to us, including the ability to manage our own Users and SSO settings.
This Role is restricted to select ITS personnel.
Official documentation:
https://docs.venafi.cloud/vaas/user-management/about-user-roles/
.
Role Table
This table does not distinguish between READ-ONLY versus WRITE access.
Tab
sub-Tab
Guest
Resource
Owner
Platform
Administrator
PKI
Administrator
System
Administrator
Create
Certificate Request
No
Yes
Yes
Yes
Yes
Dashboard
-
Yes
Yes
Yes
Yes
Yes
Applications
-
Yes
Yes
Yes
Yes
Yes
Inventory
Certificate Requests
No
Yes
Yes
Yes
Yes
Certificates
Yes
Yes
Yes
Yes
Yes
Certificates Next Gen
Yes
Yes
Yes
Yes
Yes
TLS Server Endpoints
Yes
Yes
Yes
Yes
Yes
Trusted CA Certificates
Yes
Yes
Yes
Yes
Yes
Installations
Kubernetes Clusters
Yes
Yes
Yes
Yes
Yes
Policies
Approval Rules
No
No
Yes
Yes
Yes
Certificate Lifecycle
No
No
No
Yes
Yes
Issuing Templates
Yes
Yes
Yes
Yes
Yes
Integrations
Certificate Authorities
No
No
No
Yes
Yes
Notification Providers
Yes
Yes
Yes
Yes
Yes
Configurations
Network Discovery
No
No
Yes
Yes
Yes
Tags
No
No
Yes
Yes
Yes
vSatellites
No
No
No
Yes
Yes
Settings
Event Log
No
Yes
Yes
Yes
Yes
Licensing
Yes
Yes
Yes
Yes
Yes
Service Accounts
Yes
Yes
Yes
Yes
Yes
Services
No
No
No
Yes
Yes
Single Sign-On
No
No
No
No
Yes
Teams
Yes
Yes
Yes
Yes
Yes
Users
Yes
Yes
Yes
Yes
Yes
The Venafi website
The following sections are arranged according to layout of the website.
Create
Certificate Request
You can submit a new Certificate Signing Request (CSR) for an
Application
that you are associated with.
Select the appropriate Application and Issuing Template. (Most users will only see one of each). Also, please feel free to make use of the
tags
as a mnemonic for areas to apply the certificate.
NOTE
: If you find that there are no Applications to choose from, it could be that there is no Issuing Templates associated with your Application.
Please notify the Certificates Team.
It is recommended that you choose "Venafi automated certificate request".
This will be useful later when you or someone else needs to download the certificate along with the private key. If you want more control over your private key, choose the latter option.
Using your own Certificate Signing Request (CSR)
If you choose "Generate CSR and private key myself", you will be presented with these options:
The maximum validity that can be used is the default shown: 1 year.
Paste the contents of your CSR file into the box.
If you do not know how to create a CSR, then it would better to let Venafi do it for you.
If you want or need to have additional hostnames attached to the same certificate, then choose "Yes, add DNS SANs to CSR" then supply the additional hostnames in the following field.
Using the Venafi automated certificate request
A lot of these fields are pre-populated for your convenience.
The maximum validity that can be used is the default shown: 1 year.
The required key algorithm can be anything your web server supports, but if you're uncertain stick with one of the RSA keys.
Note, that GlobalSign does not support EC ED25519.
"Domain Name System SANs" is an optional field that can be used add Subject Alternative Names (SANs) in addition to the Common Name (CN).
One such example is if your Common Name is server.temple.edu but you also need server.tu.temple.edu.
The required
Common Name (CN)
is for the name of the server that the certificate will use.
If your website is server.temple.edu, then that is your Common Name.
If you need additional server names added to your certificate, please use SANs field directly above it.
Uncheck
the box that reads "Copy Common Name to Domain Name Systems SAN".
GlobalSign will not duplicate the CN into a SAN, and it is possible that GlobalSign will not process your certificate if it cannot remove the duplicate.
Once these fields have been filled in, click
Submit Request
.
Your request has now been submitted to the Certificate Authority for processing and you should be redirected to the
Certificate Requests
page.
Also see
Regarding our Certificate Authority
about the time it takes to process and receive the certificate.
Dashboard
The dashboard is the landing page all users see upon successfully signing into the website.
There are a lot of links on this page: the blue numbers, the bar graphs, and more. They all lead to the same destination:
Inventory
, where the only difference is what filters are applied based on what you click.
Click on the
Share
button to auto-download a PDF screenshot of this dashboard.
Applications
The term "Application" is an overloaded word and should not be confused with the application you run your website from.
This section has been manually laid out to represent the Departments, Schools and Colleges that have certificates.
By clicking on an application name, you can find out what
Issuing Templates
are in effect. When you click on the number of certificates issued, you will see a filtered
inventory
list of those certificates. Finally, clicking on the "TLS Server Endpoints", you will have a more focused view of the certificates for that application.
NOTE
: There should be no need to create your own Application.
By default, any non-Guest can create an Application, however,
we do not recommend creating your own Applications.
Despite not being marked as a required field, an association with an
Issuing Template
is the only way to create an application, and Issuing Templates can only be created by a System Administrator. Issuing Templates, like Applications, are specific to the Departments, Schools and Colleges.
Inventory
Everyone, regardless of User Role, can access this page and download certificates. However, not everyone will be able to perform some of the other functions listed below.
Certificate Requests
From this page you can view all certificates that you have requested or submit a new Certificate Signing Request. By clicking on a hostname, you can also download the certificate after clicking
View Certificate
.
NOTE
:
One thing that the Venafi website cannot do is add, remove or update Subject Alternative Names (SANs) to an existing certificate.
Certificates
This page is the place to find, assign,
download
,
renew
, retire, or tag any certificate that belongs to an Application that you are a member of. If you find a certificate that is not associated with an Application that you are a member of, then other options will be greyed out.
A certificate that is not assigned to an Application (above) versus a certificate that is assigned to an Application that you are a member of (below).
Assign to Application
Assigning a certificate to an Application allows for better organization and for more self-service related options.
Applications are discussed elsewhere in the document.
Certificates not assigned to an Application cannot be renewed.
NOTE
:
If you are not in the Guest role
and you find that your certificate has not been assigned to an Application, you can do the assignment yourself.
To assign a certificate to an application, simply click on the certificate and choose "Assign" from the
Assign to Application
drop-down.
If a certificate has already been assigned to an Application and you feel this is an error, please
contact us
to have the Certificates Team correct this.
Renew
Certificates that are assigned to an Application you are a member of can be renewed with this option. If this option is disabled (greyed out/grayed out), then you must first
assign to an Application
.
NOTE
: Renewing a certificate does require that an Issuing Templates be associated with the Application, so if you find that you cannot satisfy the first requirement of selecting an Application, please
contact us
.
To renew a certificate, click on certificate on the left side, and then choose
Renew
from the list of options.
If your certificate has SANs, please double-check the list of
S
ubject
A
lternative
N
ames prior to the renewal process.
If you renew an older cert that has the incorrect SANs,
it will only cause problems down the road.
We strongly recommend that older certificates should be
retire
d.
Please refer to
Certificate Request
for more information about to proceed with renewing your certificate.
Validate Now
Clicking on the
Validate Now
button will check the validity of a certificate from a web browser’s perspective. This is useful to see if Certificate Authority's chain (e.g.: Root or Intermediary Certificates) is complete or even trusted. The results of "Validate Now" can be found under "Inventory" -> "TLS Server Endpoints".
Some validation errors, such as "
Chain not trusted
" or "
Incomplete chain
" can be fixed by re-downloading the certificate along with its certificate chain, the Intermediary and Root certificates. See the
Download
section for more information.
Other errors maybe false-positives or temporary issues, e.g.: "
Unexpected certificate
", "
No certificate presented
". If you know your website is
not
working as expected then you should investigate further, otherwise the error might be a fluke.
"
Old certification version
" messages are an indication that you should either
renew
or
retire
the certificate.
Official documentation:
https://docs.venafi.cloud/vaas/c-validating-certificates/
.
Retire
Retiring a certificate removes it from the Inventory.
It does not invalidate the certificate in any way
(e.g. affect websites). Certificates that are 35 days past their expiration date
should
auto-retire on their own.
It is important to retire certificates so that you do not mistakenly choose an older version to renew. For example, an older version of a certificate might still be valid but had changes made to Subject Alternative Names.
Taking a certificate out of retirement
To remove a certificate from retirement, go back to the
Dashboard
. At the top of the screen is "Retired certificates". Click on the blue number.
Find the certificate that you wish to pull out of retirement and click on the
Recover
button. You can keep the previous Application assignment or change it before clicking on
Recover
again. Once recovered you can find the certificate under
Inventory
.
Tag
Updating tags allows for better organization, e.g.:
Azure
,
F5
,
HIPPA
, etc. Use them how you see fit but note that tags are public in our tenant; there are no private tags. Also, please type carefully as tags can only be deleted, not renamed.
Download
NOTE
: If you are not in the System Administrator Role or not a member of the Applications the certificate is assigned to, then you’ll only be able to download the certificate but
not
the private key.
To download, highlight the certificate you want and click the
Download
button.
You’ll be presented with two options:
Certificate only
or
Keystore
.
Problem: I cannot choose the Keystore option when downloading the certificate.
Certificate only
. Chose this option
ONLY
if you need the certificate and nothing more. This option is useful if:
You did
not
choose "Venafi automated certificate request" when creating the
new certificate request
.
You already have the Certificate Signing Request (CSR) and private key stored somewhere, or
If a Vendor created the CSR for you.
NOTE
:
If you have lost your private key then you must request a new certificate!
There are three exporting formats for Certificate Only:
PEM (End entity only)
-- this is just your certificate.
PEM full chain (EE first)
-- this contains your certificate followed by the Intermediary and Root certificates in a single file.
PEM full chain (root first)
-- the reverse order of the three certificates in a single file.
Keystore
.
This option is more of a misnomer as it does not apply strictly to keystore-based webservers.
There are three exporting options.
NOTE
: All the following exporting options require a passphrase to encrypt the private key. This passphrase will be used on the web server.
If you lose or forgot this passphrase, simply re-download the certificate and choose a new passphrase. No need to re-request a certificate.
PEM
--
Possibly the best option to go with
. Choosing this option will download a ZIP file containing SIX files:
Your certificate
Root and Intermediary certificate
Intermediary certificate
2 PEM-formatted files containing all 3 certificates, concatinated, but in different sequence: Root certificate first or Your certificate first.
Your encrypted private key
The Certificate Signing Request (CSR) is not downloadable through Venafi, nor would it be needed.
Users who work with
standard Apache httpd
,
nginx
, or
the F5 load balancer
will want this download option.
PKCS12
-- A binary .P12 file, also known as a PFX file. Select this download option if you are working with a
Windows IIS
server or
Azure cloud
.
JKS
-- A binary file for use in
J
ava
K
ey
S
tore-based webservers. In addition to setting a passphrase for the private key, another passphrase is required for the keystore itself.
Apache Tomcat
requires this format.
TLS Server Endpoints
This page lists all the certificates Venafi is aware of, what IP address(es) and port(s) a certificate is/are attached to, what hostname(s) are using that certificate, how long ago that certificate was queried, and any possible problems associated with that certificate.
Trusted CA Certificates
If you want to check on the validity of any Certificate Authority or download that CA’s Root certificate, you can do so from this page.
Policies
Issuing Templates
You can view the types of Templates that have been created by a System Administrator. Clicking on a Template’s name will provide much more in-depth information about the it, including which
Certificate Authority
is being used, the default (pre-populated) fields for the Certificate Signing Request, key algorithms to select from, and what email address notifications should go to.
Only a person with the System Administrator
user role
can create, delete, or update Issuing Templates
.
Settings
Event Log
View or filter the events that have occurred for our Organization. Want to know who requested, assigned, retired, or tagged a certificate? You can check the logs here.
Licensing
A brief overview of the number of licenses consumed across the subscription term.
Service Accounts
No information available at this time.
Teams
A list of all teams in our tenant. Created to organize our users. A team has ownership over an
Application
.
Users
A list of all the users who have access to this website, and what
level of access
they have.
Account Settings
Left-click on your name in the uppper-right of the website.
Preferences
This is where your API key information resides. If you want to automate certificate renewals you'll need this key.
Official documentation:
https://developer.venafi.com/tlsprotectcloud
.
For users whose
user role
is not Guest, you can also setup email Reports which give you a digest of what certificates are about to expire, or what problems have been encountered with a web server. Reports can be sent daily, once-to-several times a week or disabled.
NOTE
: It is
highly recommended
that you enable and configure the "
Applications Certificate Expiration Digest
" so that you know when your certificates are expiring.
Then look for emails from
notifications@venafi.cloud
with subject "
Certificate Expiration Summary
".
Sign out
Note that signing out does not actually sign you out of Venafi because of the
active
SSO connection with Microsoft Azure. To truly log out of Venafi you would have to completely close out your browser.
Regarding our Certificate Authority
GlobalSign
Our primary Certificate Authority (CA) is GlobalSign; specifically known as "GlobalSign MSSL". Currently, our Venafi tenant is only setup to work with traditional certificates and not ACME certificates, but adding GlobalSign ACME automation is on the roadmap. We might be able to add other CAs into Venafi to streamline future requests.
Processing turnaround time
Once a request for a certificate has been made through Venafi, it takes about 5 minutes (on average) for GlobalSign to issue the certificate. You may (or may not) receive an email directly from GlobalSign when the certificate is ready, so just keep checking the
Certificate Requests
page for a status update.
NOTE
: If you have not received your certificate within 15 minutes, please
contact us
so that we can investigate the delay.
Updating External Sources
In our environment there are two external sources, outside of the webserver itself, where the certificate would need to updated:
Azure
and the
F5 load balancer
.
There's a good possibility that your certificate would need to be updated in one or both of these locations. If you require this sort of update, please open up a
Remedy/Helix ticket
.
If you chose a "
Venafi automated certificate request
" then you do
not
need to forward off your certificate and private key; your certificate can be downloaded by the appropriate
System Administrator
.
Chargeback Rates
The cost of SSL certificates can be found at
https://its.temple.edu/rates
.
As of July 1st, 2023, there is no charge for ordering GlobalSign certificates. Please check the website for official updates to these rates.
Troubleshooting
Troubleshooting emails
Problem: Venafi as a Service Api Key Expiration
Explaination
: Every account comes with an
API key
to automate interfacing with Venafi. Most of us are not utilizing Venafi's API, so you can ignore this email.
Problem: You received an email from GlobalSign about your certificate expiring.
Reason
: The problem stems from how these GlobalSign orders are placed now that Venafi is involved.
In the past, all of the renewals were done directly through GlobalSign and they tracked the new cert as a replacement for the expiring cert thereby suppressing the reminder emails.
Now, that tracking is lost because Venafi always places
new
orders with GlobalSign and has no context of renewal orders.
Problem: I was not notified that my certifcate was about to expire!
Possible cause
: Check your account
preferences
. Under
Reports
is the "Applications Certificiate Expiration Digest". Make sure it's enabled, an appropriate repeating schedule picked, and finally, email address(es) supplied.
Possible cause
: If you cannot locate the email message, you would have to contact
The Support Center
(formerly the Help Desk) and request an email trace on your account.
Troubleshooting Certificate Requests
Request Error: 404 when requesting a certificate
You logged in and tried to create a new request but received a 404-error page.
Answer
Your account still has the role of Guest
. Please
contact us
for additional assistance.
Request Error: Parameter format check error
Failed to request certificate from GLOBALSIGNMSSL certification authority. External service responded with client error: 'Parameter format check error. Please check that the parameters match the API specification. Please review the specific ErrorMessage returned in the XML response for parameter details and consult the XML Field definitions section of the applicable API document.'
Answer
Because most of the Certificate Signing Request fields are locked down, this is error is most likely coming from the Subject Alternative Names field. Double-check that each hostname is its own separate entity, like so.
If you are cutting-n-pasting entries in, make sure the hostnames are
comma
-separated first.
Request Error: Request failed due to the following policy violations: Unauthorized Request.
Request failed due to the following policy violations:
Unauthorized Request
Review this use-case’s security policy and change the non-conforming values so that they comply with your selected use-case’s policy and resubmit your request.
Answer
You submitted a request for a certificate that Venafi knows about, but that certificate has not been
assigned to an Application
.
Open a new browser tab, find the certificate from Inventory an Assign to Application.
Once completed, try re-submitting your request in the previous browser tab.
Request Error: Request failed due to the following policy violations: Distinguished name components / dNSName is invalid.
Request failed due to the following policy violations:
Distinguished name component O with value " " is invalid
Distinguished name component L with value "" is invalid
Distinguished name component ST with value "PA" is invalid
Distinguished name component OU must not be specified
SAN value " " of type dNSName is invalid
Review this use-case’s security policy and change the non-conforming values so that they comply with your selected use-case’s policy and resubmit your request.
Answer
The non-Venafi created Certificate Signing Request you are submitting contains errors and must be fixed by generating a new CSR with the correct values.
The O field, the Organization Name, is the legal name of the organization, which is either
"
Temple University
" or
"
Temple University-Of The Commonwealth System of Higher Education
" (no spaces around the dash), which is how we have it registered with GlobalSign.
It cannot be anything else nor left blank.
The L field
must be
the full name of the City, Philadelphia, not its abbrevation nor left blank.
The ST field
must be
the full name of the State, Pennsylvania, not its abbrevation, PA, nor left blank.
The OU field is
deprecated
(for security reasons) and must be empty. If your application cannot remove this field, please
contact us
for additional assistance.
All Subject Alternative Names (SANs) must be a
f
ully
q
ualified
d
omain
n
ame (FQDN) ending in
temple.edu
.
As such, our
Issuing Templates
conform to these standards.
If working with a vendor, see below for a potential workaround to this problem
.
GlobalSign's requirements for CSRs
.
Request Error: Request failed due to the following policy violations: Only owners of this application can request a certificate.
Request failed due to the following policy violations:
Only owners of this application can request a certifcate
Review this use-case’s security policy and change the non-conforming values so that they comply with your selected use-case’s policy and resubmit your request.
Answer
Applications
are owned by
Teams
(
using the same, if not similar, naming convention
).
If
your account
is not a part of that Team, you cannot use that Application. Your options are:
Choose a different Application to submit your request through
OR
Be associated with more than one Team. Please
contact us
for assistance, if you want this option.
Request Error: GlobalSign threw an Internal system error
Failed to request certificate from GLOBALSIGNMSSL certification authority. External service responded with client error: 'Internal system error. Please reexecute what you were doing. If error persists, please contact GlobalSign Support' Error: 11265
Answer
This could be a problem with the Key Algorithm chosen. Venafi attempted to submit the request with an algorithm that GlobalSign does not support.
Troubleshooting Certificate Renewals
Renewal Problem: The renew option "No, just renew it" is greyed out.
Possible reason:
There was a change to the
Issuing Template
since the certificate was issued, so a new certificate request must be created.
Troubleshooting Certificates Issued
Issuing Problem: I cannot choose the Keystore option when downloading the certificate.
Reason:
The
primary
reason why this option would not be selectable if Venafi did not generate the Certificate Signing Request (which the private key is tied to) for this certificate. This means that someone previously created the CSR and key and Venafi knows nothing about this data.
Where is this CSR and key? Probably on the server that needs the certificate, but we do not know.
The
secondary
reason why this option would not be selectable: you are not a part of the
Team
that owns the certificate. Certificates are assigned to an
Application
, which in turn are own by Teams (
with a similar naming convention
). Check your account under
Users
to see what Team you are a part of.
Feel free to
contact us
for assistance.
Issuing Problem: Help! I lost/forgot my private key!
You lost the passphrase to the private key and/or lost the key itself.
Potential solutions:
If the certificate was generated through Venafi:
Simply
re-download
the certifcate and specify a new passphrase for the private key.
It may not be necessary to replace the certificate in all locations if it was lost in only 1 location.
A valid certificate that's in use on a webserver is still valid until it expires.
If the certificate was
not
generated through Venafi:
Depending on the type of certificate, PEM -vs- PFX, it might be possible to re-export the private key. For example:
A PFX certificate imported in Windows/IIS should be able to be exported. The private key is embedded in the PFX.
Standard Apache httpd usually has the private key in a separate file and the passphrase is entered in at service startup.
If you have the certificate in multiple formats (PEM, PFX, etc), it might be possible to extract the private key using the
openssl
command (standard installation on all Linux machines).
At worst ...
A lost private key means the certificate cannot be used, and you'll have to request a brand new certificate. If
chargebacks
are in effect, an additional cost could be incurred.
Request Error: The vendor's Certificate Signing Request is not accepted.
Reason:
Venafi keeps rejeecting the vendor's Certificate Signing Request because of a
failed policy violation
.
Have
Venafi create the CSR
so that the request conforms to our standards and gets you the certificate you need, then continue with the addtional steps below
to solve this issue
.
Issuing Problem: The vendor’s private key does not match the certificate that was issued.
Reason:
When the certificate was requested, someone opted to use a different CSR (or a
Venafi-generated certificate request
) instead of the
Vendor-supplied CSR
.
Make a note in your own documentation or use the
tag
"Use external CSR not a Venafi-generated CSR" to remind yourself and anyone else for future reference which type of CSR to use.
To solve this issue
Download
the certificate using the "Keystore" option, followed by the "PEM" option. The correct private key will be inside of the ZIP file.
Securely send that ZIP file, plus the passphrase you entered (inside of a TXT file), to the vendor (possibly via
TUSafesend
) and they should be good to use the certificate.
Please
contact us
if you need additional assistance, including if you need the Certificate Signing Request that Venafi generated.
Issuing Problem: I cannot find my certificate in Venafi.
Reason:
There could be a few reasons why you cannot find your certificate in Venafi:
Make sure you change the drop-down default of "My certificates" to "All certificates".
Is the FQDN/hostname actually an alias (or Subject Alternative Name) of another certificate? Venafi does index SANs for searching, but perhaps the hostname is not quite right (missing "tu" or a need to add it).
Our on-campus Venafi collectors might not be able to query your website; therefore, unable to index your certificate.
The best we can do is to search for your certificate through GlobalSign's website and attempt to locate it ourselves in Venafi. Please
contact us
for assistance.
Issuing Problem: I need to add/remove additional hostnames to my certificate.
Reason:
Venafi has no method on their website to add or remove Subject Alternative Names to an existing certificate. However, it is possible for a
GlobalSign Administrator
to make this sort of change.
The people within ITS who are GlobalSign Administrators are not necessarily the same as the Venafi Administrators.
If this needs to be performed, please use the
Contact Information
above. If you want to consolidate multiple hostnames into one certificate, feel free to reach out to us to consider.
Issuing Problem: Unable to download certifcate because: Error: Dispatch has not been set.
The full error message is:
Problem: Unable to download certifcate because: Error: Dispatch has not been set. Check the state initalization to make sure that it is being set correctly.. Please try another download option
Reason:
We don't have a good reason at this point as it's seemingly a rare event. The issue was first discovered in October 2024 and brought up to Venafi personnel, but the only information they could give is that it's a
Venafi developer
error and not something that an end-user is supposed to see.
If you encounter this error please
contact us
and provide the following information so that we can send it back to Venafi:
The name of the certificate.
The browser you are using, including version number.
What extensions are installed on this browser?
Did you experience the same error in incognito mode?
Have you tried another browser, and were you successful in downloading the cert or did it fail?
Finally, is there anyone else who could download the certificate successfully? (
Maybe it's an account problem, not a browser problem
.)
Flowchart
Represents the whole Venafi process. Using
User 1
(green circle) as the example, observe the following:
User is a
Resource Owner
.
Is a member of two Teams: CST and CST/CIS (green hexagon).
Can request a certificate for either Team they are a member of, in this example for
CST/CIS
.
Teams are given ownership over one (or more) Applications.
Usually it's a 1-to-1 ratio
.
The Certificate Signing Request is based on the Application chosen.
The Application references an Issuing Template.
Again usually a 1-to-1 ratio
.
The Issuing Template pre-populates and locks in some of the fields required for the CSR.
The CSR is then submitted to the Certificate Authority, defined by the Isssuing Template, for processing.
I want to make this image even larger, but for now, right-click to see the image full size.
image source