Ask a Question

How to replace a Managed PKI for SSL certificate

Solution

Managed PKI for SSL customers can replace certificates issued from their accounts at any time.
 
 
The certificate can be replaced by either the person who applied for the certificate (applicant) or by an MPKI account administrator. To replace a Managed PKI SSL certificate, follow one of the suggested methods:

 

 Watch a video demo to easily replace a SSL certificate in a Managed PKI Account for SSL

 

NOTE:  If you are unable to view the video player, please click here to view from the video's web page.

 


Certificate Replacement by Managed PKI for SSL Administrator

NOTE: If there are any changes to the Distinguish Name, you will not be able to replace the certificate using these instructions. You will need to revoke the certificate and enroll for a new one.

  1. Go to the Managed PKI for SSL Control Center:
  2. If prompted, select the Administrator ID and access the Managed PKI for SSL Control Center.
  3. Under Certificate Management, select Search Certificates in the left navigation column.
  4. Enter the certificate's common name and change the Start Date Range base on the issued date, and then click Search.
  5. Under the Action column, click Replace.
  6. Select a reason for replacing the certificate.
    NOTE: Once you submit the replacement, the original certificate will be deactivated. You cannot undo this action.
  7. Complete the entire replacement form with the following information:
  • Your contact information (this can be different than the original contact information).
  • Server platform (you can select a different value from the original certificate).
  • New Certificate Signing Request (CSR).
    • The CSR must contain the exact Common Name & organizational details as the original or it will not be accepted. For more information on generating a CSR, please click here for documentation.
    • Subject Alternative Names (SAN) may be updated.
  • The validity period of the certificate cannot be changed. Replacement certificates will have the same expiration date as the original certificate.                                
  • A new challenge phrase (this can be the same as the original).
  1. Click Accept.
  2. The person who enrolled for the certificate will receive an approval email containing the replacement certificate.
    NOTE: A certificate can be replaced, free of charge as long as the certificate is valid. The replacement certificate will inherit the expiration date from the original certificate. Replaced certificates will show as deactivated within the Managed PKI for SSL Control Center.

 

 Certificate Replacement by Applicant or Subscriber

NOTE: If there are any changes to the Distinguish Name, you will not be able to replace the certificate using these instructions. You will need to revoke the certificate and enroll for a new certificate.

  1. Obtain the Certificate Enrollment for Subscribers URL from your Managed PKI for SSL account administrator.
  2. On the Managed PKI for SSL Certificate Enrollment for Subscribers page, click Replace.
  3. Enter the email address of the subscriber who enrolled for the certificate or the certificate's common name, and then click Search.
  4. Click the name of the certificate to be replaced.
  5. Verify the certificate details, and then click Replace.
  6. There will be reminder that in order to replace a certificate, the Distinguished Name must remain the same. Click Continue.
  7. In the Challenge Phrase box, type the challenge phrase that was specified during enrollment and then click Continue. If you do not remember the challenge phrase, have the Managed PKI for SSL administrator reset the challenge phrase.
  8. Select a reason for replacing the certificate, and then click Continue.
    NOTE: After this step, the certificate will be deactivated. You cannot undo this action.
  9. On the next screen you will need to provide the following information:
  • Your contact information (this can be different than the original contact information).
  • Server platform (you can select a different value from the original certificate).
  • New Certificate Signing Request (CSR).
    • The CSR must contain the exact Common Name & organizational details as the original or it will not be accepted. For more information on generating a CSR, please click here for documentation.
    • Subject Alternative Names (SAN) may be updated.
  • The validity period of the certificate cannot be changed. Replacement certificates will have the same expiration date as the original certificate.                                
  • New challenge phrase (this can be the same as the original).
  1. Click Accept.
  2. The Managed PKI for SSL administrator will need to approve the request.
  3. Once the administrator approves the request, you will receive an approval email containing the replacement certificate.

 

IMPORTANT NOTE: Replacing a SSL certificate does not add the certificate to Certificate Revocation List (CRL) or immediately flag the certificate as revoked status through Online Certificate Status Protocol (OCSP) responder. To revoke a SSL certificate immediately, please click here for documentation.