Renewing Admin Certificate with RSNv3 - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to renew the admin certificate with RSNv3. Unlike the legacy number generator, RSNv3 does not require the server to be running.

Notes:

  • This procedure can only be executed locally by the system administrator.

  • This procedure will work even if the admin certificate or the admin password no longer works.

  • This procedure does not require the server to be running.

  • This procedure does not require resetting the system clock.

  • This procedure does not generate audit logs.

Availability: Since PKI 11.5

Prerequisites

Removing Existing Admin Certificate

Removing Existing Certificate from Admin User Record

To find the existing certificate in the admin user record:

$ pki-server ca-user-cert-find caadmin

To remove the certificate from the admin user record:

$ pki-server ca-user-cert-del caadmin <cert ID>

Remove Existing Certificate from PKI CLI

To find the existing certificate in PKI CLI:

$ pki nss-cert-find

To remove the certificate and its key from PKI CLI:

$ certutil -F -d ~/.dogtag/nssdb -n caadmin

Creating New Admin Certificate

Generating Certificate Request

To generate a admin certificate request:

$ pki nss-cert-request \
    --subject "CN=Administrator" \
    --ext /usr/share/pki/server/certs/admin.conf \
    --csr admin.csr

Importing Certificate Request into CA Database

To import the certificate request into CA database:

$ pki-server ca-cert-request-import \
    --csr admin.csr \
    --profile adminCert.profile

It should generate a new request ID.

Issuing New Certificate

To issue a new certificate:

$ pki-server ca-cert-create \
    --request <request ID> \
    --profile adminCert.profile \
    --type local \
    > admin.crt

Importing New Certificate into CA Database

To import the new certificate into CA database:

$ pki-server ca-cert-import \
    --cert admin.crt \
    --profile adminCert.profile \
    --request <request ID>

Importing New Certificate into Admin User Record

To import the new certificate to the admin user record:

$ cat admin.crt | pki-server ca-user-cert-add caadmin

Importing New Certificate into PKI CLI

To import the new certificate into PKI CLI:

$ pki nss-cert-import caadmin --cert admin.crt

The new certificate can be used as follows:

$ pki -n caadmin ca-user-find

See Also

⚠️ **GitHub.com Fallback** ⚠️