PKI 10.3 Identifying Certificates to Renew - dogtagpki/pki GitHub Wiki

In PKI 10.3 or earlier the serial numbers and the validity dates of the system certificates can be determined with the following commands:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

sslserver                                                    u,u,u
ca_audit_signing                                             u,u,Pu
ca_signing                                                   CTu,Cu,Cu
ca_ocsp_signing                                              u,u,u
subsystem                                                    u,u,u

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_signing" | egrep "Serial|Before|After"
        Serial Number: 1 (0x1)
            Not Before: Tue Dec 06 12:49:43 2016
            Not After : Sat Dec 06 12:49:43 2036

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_ocsp_signing" | egrep "Serial|Before|After"
        Serial Number: 7 (0x7)
            Not Before: Sun Nov 25 23:00:17 2018
            Not After : Sat Nov 14 23:00:17 2020

...
⚠️ **GitHub.com Fallback** ⚠️