15.1.9. Step 9: Generating New Certificate System Server Certificates

Renew the CA SSL server certificate by doing the following:

NOTE

For more detailed information on renewing the CA SSL server certificate, see Section 12.1, “Renewing a CA SSL Server Certificate by Signing It with the CA Signing Certificate”.

Start the CA Console.

pkiconsole https://server.example.com:9443/ca

Select the 7.3 CA instance with the migrated data, and open the Console for that instance.
In the Console, select the Configuration tab.
Select the System Keys and Certificates option from the menu on the left.
Select the Local Certificates tab on the right.
Press the Add/Renew button to launch the Certificate Setup Wizard.
Go through the certificate wizard panels and fill in the information as directed.
1. In the Type of Operation panel, select the Request a certificate option (the default).
2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu, and use the default option, Sign this SSL Certificate with my CA Signing Certificate. The SSL server certificate is automatically generated.
3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires changing the CN component of its DN. Fill in information in the other fields on this panel or use the defaults.
4. Select the desired hashing algorithm or use the default, SHA-1, in the Message Digest Algorithm panel.
5. The next panel is Subject Name for the SSL Certificate. For the CN component, enter server.example.com. Fill in information in the other fields on this panel; it is strongly recommended that the O and C components also be filled in.
6. Click through the remaining panels in the Certificate Setup Wizard; fill in settings as desired or accept the defaults.
7. The CA's SSL server certificate is automatically renewed with the updated data.
Close the Console windows.
Restart the CA instance.
```
/etc/init.d/rhpki-ca restart
```