Renewing System Certificates - dogtagpki/pki GitHub Wiki
This page describes the procedure to renew system certificates used by PKI server.
Depending on the subsystems installed, PKI server uses several system certificates, for example:
-
CA signing certificate
-
OCSP signing certificate
-
SSL server certificate
-
Subsystem certificate
-
Audit signing certificate
In order for the server to operate properly all of these certificates must be valid. The CA signing certificate usually has the longest validity range (default is 20 years). The other certificates usually have shorter validity range (e.g. 2 years). To avoid service interruption any expiring certificate should be renewed while it’s still valid.
Note that the default PKI user certificate also has a shorter validity range.
This document describes the renewal procedure using CLI in PKI 10 or later. In PKI 9 the renewal procedure needs to be done using legacy servlet interface, but it still follows the same general idea.
For PKI 10.3 or earlier, see PKI 10.3 Updating System Certificates.
To identify the system certificates that are about to expire or have already expired, execute the following command:
$ pki-server cert-find Cert ID: ca_signing Nickname: ca_signing Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: 2016-12-06 12:49:43 Not Valid After: 2036-12-06 12:49:43 Cert ID: ca_ocsp_signing Nickname: ca_ocsp_signing Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: 2016-12-06 12:49:43 Not Valid After: 2018-11-26 12:49:43 Cert ID: sslserver Nickname: sslserver Token: Internal Key Storage Token Serial Number: 0x3 Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: 2016-12-06 12:49:44 Not Valid After: 2018-11-26 12:49:44 Cert ID: subsystem Nickname: subsystem Token: Internal Key Storage Token Serial Number: 0x4 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: 2016-12-06 12:49:44 Not Valid After: 2018-11-26 12:49:44 Cert ID: ca_audit_signing Nickname: ca_audit_signing Token: Internal Key Storage Token Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: 2016-12-06 12:49:44 Not Valid After: 2018-11-26 12:49:44
For PKI 10.3 or earlier, see PKI 10.3 Identifying Certificates to Renew.
In order to renew the system certificates the CA subsystem must be running.
To verify the CA subsystem:
$ pki ca-cert-find
If the CA subsystem is no longer working since the SSL server certificate of the CA itself has already expired, create a temporary SSL server certificate, disable the selftests with following command:
$ pki-server selftest-disable
Then restart the server:
$ pki-server restart --wait
Later follow the regular renewal procedure to issue the actual the SSL server certificate.
In order to renew the system certificates the CA admin/agent must be able to authenticate either using a client certificate or a username and password.
To verify the client certificate:
$ pki -n caadmin ca-user-show caadmin
If the client certificate does not work, use the username and password to renew the system certificates and the client certificate as well.
To verify the username and password:
$ pki -u caadmin -w Secret.123 ca-user-show caadmin
If the password does not work, reset the password.
Once all system certificates are renewed, reenable the selftests:
$ pki-server selftest-enable
Finally, restart the server:
$ pki-server restart --wait