Reenrolling Certificates

Certificate re-enrollment is the process of renewing or replacing an existing digital certificate that is about to expire or needs to be updated, while maintaining the same identity or key usage.

Certificate re-enrollment is often done to:

  • Extend its validity period, or
  • Update certificate details (such as CSR parameters), or
  • Replace a compromised or soon-to-expire key/certificate.
You can now initiate certificate re-enrollment requests through the Policy Engine so that the entire re-enrollment process follows policy-driven rules, approvals, and checks configured by administrators.

Prerequisites for Certificate Re-enrollment

Prerequisites
  • Ensure the CA account is configured in AppViewX.
  • A default re-enrollment policy must exist with the existing CA template.
  • The user must have ACF permissions to Re-Enroll (Certificate > Server/Client/Code signing certificate actions) and Policy Engine.
  • The user must have RW permission to the group that is mapped to the respective policy.

Re-enrolling a Certificate

  1. Go to (Menu) icon > Policy Engine > POLICY MANAGEMENT > Policies.
    The Policy Inventory page is displayed.
  2. On the Policy Inventory page, click + Create Policy.
    The Create Policy popup window is displayed.
  3. Select Managed Certificate Policy from the Policy Type dropdown.
  4. Enter the following details to configure the policy.
    Field Description
    *Policy Name Enter a policy name. It can be alphanumeric and can contain underscore (_), dash (-), or space.
    Description Enter description of the policy.
    *Select a Tag Select an existing tag from the dropdown or create a new one.
    Note: Selecting the appropriate policy type allows you to group policies logically, simplifying organization and management based on specific criteria.
    *Fields marked with red asterisk (*) symbol are mandatory.
  5. Click Configure Policy.
    Once the policy is created successfully, a confirmation message will appear, and you will be directed to the Action page.
  6. Select Re-Enroll Certificate option.
  7. Enter an action name in the Display Name for Action text box. The action name can be alphanumeric and can contain underscore (_), dash (-), or space.
  8. Click Next.
    The Issuance Template page is displayed. This page displays the Re-Enrollment Master Template (default) appearing on the right panel of the page. You can use this template or create a new one by clicking Template Name.
    Note:

    The Re-Enrollment Master Template is system-generated with pre-defined configurations, limited only to Certificate Parameters. It is not specific to CAs.

  9. Enter the fields in the Certificate Parameters section.
    Note:
    • Default settings for re-enrollment are:
      • Certificate Validity: 200 days
      • Key Type: RSA
      • Key Size: 2048
      • Key/CSR Generation Location: AppViewX
      • Inherited fields from existing certificate being re-enrolled:
        • Issuing CA vendor, account, Division (For Digicert)
        • Certificate type (server, client, etc.)
        • Subject DN and SAN values
      • All certificates configured for re-enrollment post upgrade are automatically mapped to this Default Re-Enrollment Policy.
    • When selecting multiple values for certain fields, you can set one value as default by clicking the Set as Default button against the value. The default value is indicated with a star against it .
  10. Click Next to go to the Approval page.
  11. Turn on the Auto Approve toggle button to skip approval. To add new approval level, click the Add New Approval Level link.
  12. Click Next to go to the Pre-Issuance Tasks page.
  13. [Optional] Define additional tasks that run after main action completes by clicking any of the tasks appearing on the right panel or simply click Next to go to the Certificate Enrollment page.
  14. Click Next to go to the Post Issuance Settings page.
  15. [Optional] Define additional tasks that run after main action completes by clicking any of the tasks appearing on the right panel or simply click Next to go to the Event Notifications page.
    The Event Notifications page displays Certificate Re-enrollment Started, Certificate Re-enrollment Success, and Certificate Re-enrollment Failure.
  16. Click Finish.
    The Submit Policy window is displayed with a message, Are you sure you want to submit this policy?
  17. Click Confirm to save the policy or click Save and Enable Policy to activate the policy.
    The configured policy is displayed with the Status toggle button enabled as shown. Saved policies will have the Status toggle button disabled.
    You can edit, delete, or execute the policy by clicking any of the icons in the Actions column.
    Note: To edit or delete a policy, you need to first disable the status.
  18. Go to (Menu) icon > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Server and select an Enrollment Group from the dropdown list. Select Default if you have used the default policy.
  19. Click Continue.
    The Enroll Server Certificate form is populated.
  20. Fill the fields marked as mandatory in the Certificate Parameters section and click Submit.
    You are redirected to the holistic view of the policy.
  21. Right-click the (More) icon against the certificate and select Re-enroll from the options.
    AppViewX supports generating new private keys directly on the Endpoint during certificate re-enrollment. Certificates must be enrolled with CSR Generation selected as Endpoint and with the following managed devices onboarded in AppViewX:
    • Windows Apache
    • Windows Tomcat
    • MSSQL
    • IIS
    • Microsoft Server
    • LinuxServer
    • Apache
    • Tomcat
    • Nginx
    When re-enrolling, the Endpoint option will be selected by default and lists the Category, Vendor, device selected and the device specific fields with the values pre-filled from the source certificate. The values can be changed, however limited only to the supported managed devices above.
    The Re-Enroll Server Certificate form is displayed.
    Note: Alternatively, you can re-enroll certificates at the group level by going to (Menu) icon > CERT+ > GROUPS & POLICIES > Groups. Select the group you want to modify, scroll down and enable the Re-enroll Automatically toggle button and specify the number of days in the Start Re-enrolling text box while selecting the Override check box. For example, if you specify 10 in the Start Re-enrolling text box, the certificate is automatically re-enrolled 10 days before it expires.
  22. Click Next. The Certificate Re-enrollment form that you filled from Policy Engine is displayed.
    Note: The Policy Engine re-enrollment template changes take precedence over the existing certificate CSR parameters.
  23. To re-enroll the certificate using the certificate's existing private key, from the CSR Generation options, select Use Existing Private Key.
    This allows you to maintain key continuity across certificate lifecycles where compliance and operational policies allow it, instead of always generating a new key pair.
    Important:
    • This option is visible only when AppViewX already has access to the certificate’s private key (stored securely in a vault, HSM, or in the AppViewX key store).
    • Reusing an existing private key may reduce cryptographic freshness. Ensure compliance with your organization’s key rotation policy.
  24. To re-enroll the certificate using the certificate's existing CSR details, from the CSR Generation options, select Use Existing CSR.
  25. Make changes, if required, and click Submit.
    A message, Certificate is enrolled successfully, appears. Once the certificate enrollment is successful, the Status changes to Completed. If it fails, go back to Policy Engine > POLICY MANAGEMENT > Policy Requests, click the ID to open a staged execution log view.Once the certificate is reenrolled, AppViewX compares the Extended Key Usage (EKU) and Key Usage (KU) fields between the parent and the reenrolled certificates. If a difference is detected, you will be notified via alerts and emails across mediums within the product. Detailed documentation for this is covered in the section Updating the EKU/KU Metrics for Reenrolled Certificates.

Updating the EKU/KU Metrics for Re-enrolled Certificates

If a change is detected between the Extended Key Usage/Key Usage metrics of the parent and the reenrolled certificates, the details are recorded and notified via the following mediums:
  • Certificate holistic view

    A icon is displayed in the reenrolled certificate's holistic view in the event a change is detected in the EKU/KU fields, along with a View Changes link.

    Click View Changes to view the Key Usage Warning details that list the Removed Usages and Added Usages for the reenrolled certificate.
  • Email notifications

    Details of the changes detected in the EKU/KU fields are appended to the pre-configured certificate reenrollment email notifications sent to a user/user group/certificate group.

  • In-app notifications

    Post issuance of the reenrolled certificate, for changes detected in the EKU/KU fields, a notification message is displayed in AppViewX's notification center that details the changes observed.

  • Certificate Logs

    Details of the changes detected in the EKU/KU fields post certificate reenrollment are mentioned in the Log Message field of the certificate logs.