Renewing System Certificates - dogtagpki/pki GitHub Wiki

Overview

This page describes the procedure to renew system certificates used by PKI server.

Depending on the subsystems installed, PKI server uses several system certificates, for example:

  • CA signing certificate

  • OCSP signing certificate

  • SSL server certificate

  • Subsystem certificate

  • Audit signing certificate

In order for the server to operate properly all of these certificates must be valid. The CA signing certificate usually has the longest validity range (default is 20 years). The other certificates usually have shorter validity range (e.g. 2 years). To avoid service interruption any expiring certificate should be renewed while it’s still valid.

Note that the default PKI user certificate also has a shorter validity range.

This document describes the renewal procedure using CLI in PKI 10 or later. In PKI 9 the renewal procedure needs to be done using legacy servlet interface, but it still follows the same general idea.

For PKI 10.3 or earlier, see PKI 10.3 Updating System Certificates.

Checking Current Certificates

To identify the system certificates that are about to expire or have already expired, execute the following command:

$ pki-server cert-find
  Cert ID: ca_signing
  Nickname: ca_signing
  Token: Internal Key Storage Token
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: 2016-12-06 12:49:43
  Not Valid After: 2036-12-06 12:49:43

  Cert ID: ca_ocsp_signing
  Nickname: ca_ocsp_signing
  Token: Internal Key Storage Token
  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: 2016-12-06 12:49:43
  Not Valid After: 2018-11-26 12:49:43

  Cert ID: sslserver
  Nickname: sslserver
  Token: Internal Key Storage Token
  Serial Number: 0x3
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: 2016-12-06 12:49:44
  Not Valid After: 2018-11-26 12:49:44

  Cert ID: subsystem
  Nickname: subsystem
  Token: Internal Key Storage Token
  Serial Number: 0x4
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: 2016-12-06 12:49:44
  Not Valid After: 2018-11-26 12:49:44

  Cert ID: ca_audit_signing
  Nickname: ca_audit_signing
  Token: Internal Key Storage Token
  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: 2016-12-06 12:49:44
  Not Valid After: 2018-11-26 12:49:44

For PKI 10.3 or earlier, see PKI 10.3 Identifying Certificates to Renew.

Checking CA Subsystem Status

In order to renew the system certificates the CA subsystem must be running.

To verify the CA subsystem:

$ pki ca-cert-find

If the CA subsystem is no longer working since the SSL server certificate of the CA itself has already expired, create a temporary SSL server certificate, disable the selftests with following command:

$ pki-server selftest-disable

Then restart the server:

$ pki-server restart --wait

Later follow the regular renewal procedure to issue the actual the SSL server certificate.

Checking CA Agent Access

In order to renew the system certificates the CA admin/agent must be able to authenticate either using a client certificate or a username and password.

To verify the client certificate:

$ pki -n caadmin ca-user-show caadmin

If the client certificate does not work, use the username and password to renew the system certificates and the client certificate as well.

To verify the username and password:

$ pki -u caadmin -w Secret.123 ca-user-show caadmin

If the password does not work, reset the password.

Renewing System Certificates

Restarting the Server

Once all system certificates are renewed, reenable the selftests:

$ pki-server selftest-enable

Finally, restart the server:

$ pki-server restart --wait

See Also

⚠️ **GitHub.com Fallback** ⚠️