Renewing System User Certificate - dogtagpki/pki GitHub Wiki
This document describes the process to renew a client certificate for a PKI system user.
To renew a system user certificate using the certificate itself for authentication, the certificate must still be valid and stored in the client NSS database:
$ pki -c Secret.123 client-cert-find ---------------------- 1 certificate(s) found ---------------------- Serial Number: 0x7 Nickname: testuser Subject DN: UID=testuser Issuer DN: CN=CA Signing Certificate,O=EXAMPLE ---------------------------- Number of entries returned 1 ----------------------------
As the system user, submit the renewal request over SSL connection using the client certificate for authentication:
$ pki -U https://<hostname>:<secure port> \ -c <client NSS database password> \ -n <client certificate nickname> \ client-cert-request \ --profile <renewal profile> \ <subject DN>
For example:
$ pki -U https://pki.example.com:8443 \ -c Secret.123 \ -n testuser \ client-cert-request \ --profile caManualRenewal \ uid=testuser
See Certificate Profiles.
If the system user certificate has already expired, use the general Certificate Renewal procedure.
If the certificate renewal requires agent approval, it can be done with the following command:
$ pki -n caadmin -c Secret.123 ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c
As the PKI admin assign the new certificate to the system user.
Assign the new certificate to the system user with this command:
$ pki -n caadmin -c Secret.123 ca-user-cert-add testuser --serial 0x1c
Then delete the old certificate from the system user. In PKI 10.4 it can be done with the following command:
$ pki -n caadmin -c Secret.123 ca-user-cert-del testuser --serial 0x7
Assign the new certificate to the system user with this command:
$ pki -n caadmin -c Secret.123 ca-user-cert-add testuser --serial 0x1c
Determine the ID of the certificate to be deleted with this command:
$ pki -n caadmin -c Secret.123 ca-user-cert-find testuser
Then delete the certificate with this command:
$ pki -n caadmin -c Secret.123 ca-user-cert-del \ testuser "2;7;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;UID=testuser"
As the system user, replace the certificate in the client NSS database (see Retrieving Certificate).
In PKI 10.4 it can be done with the following command:
$ pki -c Secret.123 client-cert-import testuser --serial 0x1c --overwrite