Creating Temporary SSL Server Certificate - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to create a temporary SSL server certificate for the CA subsystem itself.

Checking Current Certificate

To check the current SSL server certificate:

$ pki-server cert-show sslserver
  Cert ID: sslserver
  Nickname: sslserver
  Token: internal
  Serial Number: 0x235131ac57d6dc14706338af68fce2b6
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Oct 25 15:39:35 2023
  Not Valid After: Tue Oct 14 15:39:35 2025
  Trust Flags: u,u,u

Enrollment Procedure

To create a temporary certificate execute the following command:

$ pki-server cert-create sslserver --temp

The certificate will be stored in /var/lib/pki/<instance>/conf/certs/sslserver.crt.

Next, delete the current SSL server certificate from the server’s NSS database:

$ pki-server cert-del sslserver

Then import the temporary certificate into the NSS database:

$ pki-server cert-import sslserver

Verify the new certificate with the following command:

$ pki-server cert-show sslserver
  Cert ID: sslserver
  Nickname: sslserver
  Token: internal
  Serial Number: 0x4e62aba6ad321857fcc93c20be4ee4c5
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Thu Oct 26 17:28:13 2023
  Not Valid After: Wed Oct 15 17:28:13 2025
  Trust Flags: u,u,u

See Also

⚠️ **GitHub.com Fallback** ⚠️