Step 2: Let the New Certificate Percolate Through Security Controls

After the new certificate has been issued by your CA and specified as the sub-authority certificate, the certificate is said to be in a pending state. The next step is to let the pending certificate work its way through Security Controls.

30 day waiting period

There is a 30 day period during which the pending certificate will be distributed to your agent machines. Here's how it works:

  1. Your agents will check in during this 30 day period.
  2. The agents will receive a copy of the new certificate.
  3. The certificate will be stored in the Intermediate store on the agent machine.

The agents will not use the pending certificate just yet, but they will have it in their possession for when the transition to the sub-authority certificate is made permanent. The pending certificate is made permanent when the system automatically issues a commit command after 30 days. If problems occur during the 30 day period, you may need to manually perform the commit.

For information about the commit process, see Commit to the New Sub-Authority Certificate.

Bypassing the 30 day waiting period

The system will wait for 30 days before it automatically commits to the new sub-authority certificate, and it does this regardless of whether you have any agents. If you do not have agents and you want to commit to the new certificate without waiting the 30 days, you can do so by manually issuing the commit command. For information about the commit process, see Commit to the New Sub-Authority Certificate.

There are other reasons you may choose to manually issue the commit command. If you have forced your agents to check in and you are certain they have all received the new certificate, you can manually issue the commit command and move forward without waiting for the 30 day waiting period to expire. Or, problems may occur that prevent the commit command from being issued automatically. For more information, see Commit to the New Sub-Authority Certificate.

Be careful when forcing agents to check in. Some agents may not receive the check-in request if they are not listening, are offline or are cloud agents.