Interim Manual Solution

• Login to Venafi
• Check certificates in Venafi
• Update certificates in Venafi
• Update Certificates in ACM
• Update certificates in AWS load balancer
• Confirm application has new certificates
• SSL certificates exceeded expiration date

Gain access to Venafi

Check expiration of certificate and set calendar reminders

• Click on the certificate and locate the expiration date
  • Labeled Not after
• Create an event in outlook and tag the appropriate team for 30 days prior to expiration
  • i.e. If the date Not after is 10/01/2025, then create the reminder for 09/01/2025

Login to Venafi

• Connect to the VA Network using your zero token/Account: *GFE go to citrixaccess.vpn.va.gov and select your zero account to login *CAG go to citrixaccess.vpn.va.gov and select your zero account to login (need to test and confirm)
• Go to the Venafi portal and confirm your certificates are valid or require updating (instructions on gaining access to Venafi)
• Venafi link can be found here https://prod.adfs.federation.va.gov/adfs/ls/idpinitiatedsignon.aspx (must be on the VA network) select the Venafi option from the dropdown.

Venafi Dashboard

• Navigate to the All Certificates Dashboard
• Click on the number designated under My Certificates
• For the certificate that requires updating, go to the far right drop-down menu and select renew now
• Once renewed right-click on certificate and open in new tab
• Confirm the expiration has been extended and the new date is 13 months from today
• Go back to the All Managed Certificates
• Select/Choose the following options
  • PEM (openssl)
  • Check the Extract PEM content into separate files
  • Click download
  • Find the downloads and transfer to your standard user accounts desktop (or specified location)

Uploading New Certificate to ACM

• Navigate to AWS Dashboard -> Certificate Manager -> select the certificate that needs to be updated -> Reimport
  • Note: You must have the private key in order to proceed
• Update the content of Certificate Body, Certificate private key, and Certificate chain then select next
  • Be sure to remove extra spacing when copying and pasting
• Once completed the new expiration date should appear in the certificate that was reimported.

Updating Load Balancer for Applications

• Navigate to AWS Dashboard -> EC2 -> Instance (running) -> Scroll down to Load Balancers -> Choose the instance -> Select the Listeners tab -> Click Change on the right side of the SSL Certificate.
• Select Choose a certificate from ACM
• In the drop-down, select the appropriate certificate and save

Confirm New Certificates are installed

• Navigate to dev, staging, or prod in the browser
• Click on the lock next to url and click Connection is secure
• Click on Certificate is valid
• Confirm the issued on and expires on dates to match the new certificate

IF THE SSL HAS EXPIRED

Example Ticket

• Open a ticket with YourIT
• Find the ticket request for SSL Certificates - New/Renew/Move/Delete
  • If you cannot find it, search for it using the magnifying glass
• Fill out the information and select the appropriate field for Action needed for certificate request
• Locate the ticket in the ESD Ticket Dashboard and change the assigned to to IO.SS.PKI.OPERATIONS
• If this is urgent you will need to contact someone on that team and expedite the request

Create a Certificate Signing Request (.csr) from Linux

• Load up any Linux instance, or terminal instance and run the following command
  • openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
• Follow the prompt as follows:

Country name (2 letter code): US
State or Province Name (full name): District of Columbia
Locality Name (eg, city): Washington
Organization Name (eg, company): Department of Veterans Affairs
Organizational Unit (eg, section): VHA
Common Name (eg, your name or your server's hostname): Marketplace.va.gov
Email Address: [email protected]

• Use this to submit a Create a New SSL Certificate request from If SSL has expired

Be sure to save the private key in a secure location that you will be able to find later

Gain Access to Venafi

• Request ePAS access to view/update SSL certificates for Diffusion Marketplace project.
• Specific group can be found be by making a request to [email protected] or following the instructions in ePAS
• Once access has been granted and work ticket completed:
  • Request URL from [email protected] for access Venafi via CAG.