15.2.9. Step 9: Renewing the Certificate System Server Certificates

15.2.9. Step 9: Renewing the Certificate System Server Certificates

Renew the SSL server certificate for the DRM by doing the following:

NOTE

For more information on renewing subsystem server certificates, see Section 12.3, “Renewing a DRM, OCSP, or TKS SSL Server Certificate”.

  1. Start the DRM Console. 

    pkiconsole https://server.example.com:10443/kra

  2. Select the DRM instance from the list of server, and log into the Console for that instance.

  3. In the Console, select the Configuration tab.

  4. Select the System Keys and Certificates option from the menu on the left.

  5. Select the Local Certificates tab on the right.

  6. Press the Add/Renew button to launch the Certificate Setup Wizard.

  7. Go through the wizard panels, and fill in the required information.

    1. In the Type of Operation panel, select the Request a certificate option (the default).

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu. An SSL server certificate request is generated which can be submitted to another CA for approval.

    3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires changing the CN component of its DN. Fill in information in the other fields on this panel as desired.

    4. The next panel is Subject Name for the SSL Certificate. For the CN component, enter server.example.com. Fill in information in the other fields on this panel as desired; it is strongly recommended that the O and C components be filled in.

    5. Click through the remaining panels in the Certificate Setup Wizard and either fill in the options as desired or accept the defaults.

  8. Obtain the SSL server certificate request, and store it in a base-64 file.

  9. Submit the SSL server certificate request to a CA for approval.

  10. When the SSL server certificate is approved, relaunch the Certificate Setup Wizard by pressing the Add/Renew button.

  11. Go through the wizard again and supply the certificate information.

    1. In the Type of Operation panel, select the Install a certificate option.

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.

    3. Enter in the location information if required in the Location of Certificate panel.

    4. Click through the remaining panels in the Certificate Setup Wizard to install the renewed SSL server certificate for the migrated DRM instance.

  12. Close the Console windows.

  13. Restart the 7.3 DRM instance. 

    /etc/init.d/rhpki-kra restart