Renewing Admin Certificate with RSNv3 - dogtagpki/pki GitHub Wiki
This page describes the process to renew the admin certificate with RSNv3. Unlike the legacy number generator, RSNv3 does not require the server to be running.
Notes:
-
This procedure can only be executed locally by the system administrator.
-
This procedure will work even if the admin certificate or the admin password no longer works.
-
This procedure does not require the server to be running.
-
This procedure does not require resetting the system clock.
-
This procedure does not generate audit logs.
Availability: Since PKI 11.5
-
CA must be configured with RSNv3.
To find the existing certificate in the admin user record:
$ pki-server ca-user-cert-find caadmin
To remove the certificate from the admin user record:
$ pki-server ca-user-cert-del caadmin <cert ID>
To find the existing certificate in PKI CLI:
$ pki nss-cert-find
To remove the certificate and its key from PKI CLI:
$ certutil -F -d ~/.dogtag/nssdb -n caadmin
To generate a admin certificate request:
$ pki nss-cert-request \ --subject "CN=Administrator" \ --ext /usr/share/pki/server/certs/admin.conf \ --csr admin.csr
To import the certificate request into CA database:
$ pki-server ca-cert-request-import \ --csr admin.csr \ --profile adminCert.profile
It should generate a new request ID.
To issue a new certificate:
$ pki-server ca-cert-create \ --request <request ID> \ --profile adminCert.profile \ --type local \ > admin.crt
To import the new certificate into CA database:
$ pki-server ca-cert-import \ --cert admin.crt \ --profile adminCert.profile \ --request <request ID>
To import the new certificate to the admin user record:
$ cat admin.crt | pki-server ca-user-cert-add caadmin
To import the new certificate into PKI CLI:
$ pki nss-cert-import caadmin --cert admin.crt
The new certificate can be used as follows:
$ pki -n caadmin ca-user-find