Renewing Admin Certificate with RSNv3 - dogtagpki/pki GitHub Wiki
This page describes the process to renew the admin certificate with RSNv3. Unlike the legacy number generator, RSNv3 does not require the server to be running.
Notes:
-
This procedure can only be executed locally by the system administrator.
-
This procedure will work even if the admin certificate or the admin password no longer works.
-
This procedure does not require the server to be running.
-
This procedure does not require resetting the system clock.
-
This procedure does not generate audit logs.
Availability: Since PKI 11.5
-
CA must be configured with RSNv3.
To find the existing certificate in the admin user record:
$ pki-server ca-user-cert-find caadmin
To remove the certificate from the admin user record:
$ pki-server ca-user-cert-del caadmin <cert ID>
To find the existing certificate in PKI CLI:
$ pki nss-cert-find
To remove the certificate and its key from PKI CLI:
$ certutil -F -d ~/.dogtag/nssdb -n caadmin
To generate a admin certificate request:
$ pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr admin.csr
To import the certificate request into CA database:
$ pki-server ca-cert-request-import \
--csr admin.csr \
--profile adminCert.profile
It should generate a new request ID.
To issue a new certificate:
$ pki-server ca-cert-create \
--request <request ID> \
--profile adminCert.profile \
--type local \
> admin.crt
To import the new certificate into CA database:
$ pki-server ca-cert-import \
--cert admin.crt \
--profile adminCert.profile \
--request <request ID>
To import the new certificate to the admin user record:
$ cat admin.crt | pki-server ca-user-cert-add caadmin
To import the new certificate into PKI CLI:
$ pki nss-cert-import caadmin --cert admin.crt
The new certificate can be used as follows:
$ pki -n caadmin ca-user-find