Renewing SSL Server Certificate - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to renew an SSL server certificate for a PKI server assuming the CA subsystem is running properly. If the CA subsystem is not running due to an expired SSL server certificate, create a temporary SSL server certificate first, restart the server, then perform the actual renewal below. Once the actual (i.e. non-temporary) SSL server certificate is issued, the the temporary can be replaced with the actual certificate.

Checking Current Certificate

To check the current SSL server certificate:

$ pki-server cert-show sslserver
  Cert ID: sslserver
  Nickname: sslserver
  Token: internal
  Serial Number: 0x235131ac57d6dc14706338af68fce2b6
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Oct 25 15:39:35 2023
  Not Valid After: Tue Oct 14 15:39:35 2025
  Trust Flags: u,u,u

Renewal Procedure

To renew the SSL server certificate, submit a renewal request to the CA by executing the following command:

$ pki ca-cert-request-submit \
    --profile caManualRenewal \
    --serial 0x235131ac57d6dc14706338af68fce2b6 \
    --renewal
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0x139860c571ad8a59dc5375fe344f5432
  Type: renewal
  Request Status: pending
  Operation Result: success
  Creation Time: Thu Oct 26 17:28:13 CDT 2023
  Modification Time: Thu Oct 26 17:28:13 CDT 2023

Next, as a CA admin/agent approve the renewal request:

$ pki <authentication> ca-cert-request-approve 0x139860c571ad8a59dc5375fe344f5432 --force
---------------------------------------------------------------
Approved certificate request 0x139860c571ad8a59dc5375fe344f5432
---------------------------------------------------------------
  Request ID: 0x139860c571ad8a59dc5375fe344f5432
  Type: renewal
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x4e62aba6ad321857fcc93c20be4ee4c5
  Creation Time: Thu Oct 26 17:28:13 CDT 2023
  Modification Time: Thu Oct 26 17:29:56 CDT 2023

The CA admin/agent can authenticate using a client certificate or a username and password. If necessary, the password can be reset by the system administrator.

Next, retrieve the new certificate from the CA:

$ pki ca-cert-export 0x4e62aba6ad321857fcc93c20be4ee4c5 --output-file sslserver.crt

Delete the current certificate from the server’s NSS database:

$ pki-server cert-del sslserver

Then import the new certificate into the NSS database:

$ pki-server cert-import sslserver --input sslserver.crt

Verify the new certificate with the following command:

$ pki-server cert-show sslserver
  Cert ID: sslserver
  Nickname: sslserver
  Token: internal
  Serial Number: 0x4e62aba6ad321857fcc93c20be4ee4c5
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Thu Oct 26 17:28:13 2023
  Not Valid After: Wed Oct 15 17:28:13 2025
  Trust Flags: u,u,u

See Also

⚠️ **GitHub.com Fallback** ⚠️