If you changed the settings of a certificate that you want to renew, you need to generate a new Certificate Signing Request (CSR) that contains the new settings. If you are already familiar and comfortable with generating CSRs, then generate a new one and paste it into the Certificate Signing Request box that you'll see during the renewal process.
If you're new to generating CSRs, we can walk you through it.
There are three easy steps:
The Venafi VCert utility and library is hosted on Venafi's Github page here.
Run the executable file from the command line:
- Accept the End User License Agreement to continue.
Enter the certificate's CSR requirements on the command line.
Example This Windows example uses the CSR requirements as shown in the screenshot above: vcert_win_x64 gencsr -cn "www.MyCompany.com" -o "My Company" -key-type rsa -key-size 2048 -ou "Mein Company" -l "Oakland" -st "California" -c USCSR options
Use to specify the organization name (O).
Use to specify the organizational unit. (OU).
Use to specify the country (C).
Use to specify the state/province. (ST).
Use to specify the locality (L).
Use to indicate that the utility will not prompt you for input. This is useful for scripting.
IMPORTANT If this option is specified, vCert will not prompt you for a private key passphrase and your private key will not be encrypted.
Use to specify one of more email Subject Alternative Name.
Example: -san-email email@example.com
Use to specify one or more IP Address Subject Alternative Name.
Example: -san-ip 188.8.131.52
Use to increase the level of logging detail, which is helpful when troubleshooting issues.
Use to specify the key size. vCert can generate 1024, 2048, or 4096-bit RSA keys.
Example: -key-size 2048
Use to specify the key type.
Example: -key-type rsa
Use to specify a password for encrypting the private key. For a non-encrypted private key, specify -no-prompt without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file.
Example: -key-password file:/Temp/mypasswords.txt
Use to specify a file name and a locaiton where the resulting key file should be written. Example: /tmp/newkey.pem
Use to specify a file name and a location where the resulting CSR file should be written. Example: /tmp/newcsr.pem
Use to show help text.
When asked to enter a key pass phrase, enter something that you'll remember. The pass phrase will be used to encrypt the private key.
The result will look something like this:
Copy everything starting with – - - - -Begin Certificate Request– - - - - through – - - - -End Certificate Request– - - - -.
Paste it in the Certificate Signing Request field.
- Click Next.