Renewing SSL Server Certificate - dogtagpki/pki GitHub Wiki
This page describes the process to renew an SSL server certificate for a PKI server assuming the CA subsystem is running properly. If the CA subsystem is not running due to an expired SSL server certificate, create a temporary SSL server certificate first, restart the server, then perform the actual renewal below. Once the actual (i.e. non-temporary) SSL server certificate is issued, the the temporary can be replaced with the actual certificate.
To check the current SSL server certificate:
$ pki-server cert-show sslserver Cert ID: sslserver Nickname: sslserver Token: internal Serial Number: 0x235131ac57d6dc14706338af68fce2b6 Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Wed Oct 25 15:39:35 2023 Not Valid After: Tue Oct 14 15:39:35 2025 Trust Flags: u,u,u
To renew the SSL server certificate, submit a renewal request to the CA by executing the following command:
$ pki ca-cert-request-submit \ --profile caManualRenewal \ --serial 0x235131ac57d6dc14706338af68fce2b6 \ --renewal ----------------------------- Submitted certificate request ----------------------------- Request ID: 0x139860c571ad8a59dc5375fe344f5432 Type: renewal Request Status: pending Operation Result: success Creation Time: Thu Oct 26 17:28:13 CDT 2023 Modification Time: Thu Oct 26 17:28:13 CDT 2023
Next, as a CA admin/agent approve the renewal request:
$ pki <authentication> ca-cert-request-approve 0x139860c571ad8a59dc5375fe344f5432 --force --------------------------------------------------------------- Approved certificate request 0x139860c571ad8a59dc5375fe344f5432 --------------------------------------------------------------- Request ID: 0x139860c571ad8a59dc5375fe344f5432 Type: renewal Request Status: complete Operation Result: success Certificate ID: 0x4e62aba6ad321857fcc93c20be4ee4c5 Creation Time: Thu Oct 26 17:28:13 CDT 2023 Modification Time: Thu Oct 26 17:29:56 CDT 2023
The CA admin/agent can authenticate using a client certificate or a username and password. If necessary, the password can be reset by the system administrator.
Next, retrieve the new certificate from the CA:
$ pki ca-cert-export 0x4e62aba6ad321857fcc93c20be4ee4c5 --output-file sslserver.crt
Delete the current certificate from the server’s NSS database:
$ pki-server cert-del sslserver
Then import the new certificate into the NSS database:
$ pki-server cert-import sslserver --input sslserver.crt
Verify the new certificate with the following command:
$ pki-server cert-show sslserver Cert ID: sslserver Nickname: sslserver Token: internal Serial Number: 0x4e62aba6ad321857fcc93c20be4ee4c5 Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Thu Oct 26 17:28:13 2023 Not Valid After: Wed Oct 15 17:28:13 2025 Trust Flags: u,u,u