Can old and new WSS SSL inspection root certificate co-exist?

book

Article ID: 220895

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Due to the expiration of the certificate for SSL inspection (Cloud Services Root CA certificate) of the WSS product, we are deploying the new WSS agent 7.2.1 which also installs the new certificate.

We noticed that after the installation of the new agent, there are two certificates (the old one expiring and the new one) in the machine's certificate store.

Can you confirm that the presence of the two certificates cannot create any kind of impact after the expiration of the first one?

 

Environment

SSL inspection enabled

WSS Agent

SEP Agent

All user agents accessing WSS 

Resolution

Both the old and new WSS SSL root certificates can co-exist together.

As a best practice, it is recommended that any old, expired certificates of any kind be removed from the SSL root and intermediate trust store on the host machine. 

Additional Information

https://support.broadcom.com/external/content/critical-alerts/WSS-SSL-interception-root-certificate-update-required/18514