Tuesday, December 3, 2013

Misleading certificate re-creation error

A customer of mine has to renew VPN certificate signed by VeriSign because it is about to expire.  The normal procedure would be to delete the existing one and to re-create is. The only issue with this is that it takes VeriSign a couple of days to process the request.

He has decided to create a new certificate with the same CA and to add it. Obviously, this does not work. The error is "certificate with the same DN already exists". The customer did not give up. He was trying and trying to use a different DN. The error was exactly the same.

In fact, it is the message which is not correct. According to SK61087, quoting:  

module can have only one certificate signed by a particular CA. Thus, when the new certificate is issued, you will be asked whether to replace any existing certificate signed by the same CA.

In this particular scenario certificate creation fails because there is already another certificate in place from the same CA. GUI error reports an issue which is completely different.

The only way is to delete the existing VeriSign certificate and to re-create it again. If there is a significant delays in the process, do not push policy on that FW till the renewal is fully done. 

No comments:

Post a Comment