Renewing Admin Certificate using pki server cert fix - dogtagpki/pki GitHub Wiki
This page describes the process to renew the admin certificate using pki-server cert-fix
CLI.
Notes:
-
This procedure may require setting the system clock back to when the admin certificate was still valid.
To renew the admin certificate and system certificates, execute the following command and provide the admin certificate serial number:
$ pki-server cert-fix \ --ldap-url ldap://localhost.localdomain \ --agent-uid caadmin \ --extra-cert <serial number>
If the DS connection was configured to use client certificate authentication, but the certificate has already expired, and the DS server is running locally, the command can be executed with LDAPI instead:
$ pki-server cert-fix \ --ldapi-socket /var/run/slapd-localhost.socket \ --agent-uid caadmin \ --extra-cert <serial number>
Then assign the new certificate to the admin user with the following command:
$ pki \ -U https://localhost.localdomain:8443 \ -d ~/.dogtag/nssdb \ -c Secret.123 \ -n caadmin \ ca-user-cert-add \ --input /var/lib/pki/pki-tomcat/conf/certs/<serial number>-renewed.crt \ caadmin