15.3.9. Step 9: Renewing the Certificate System Server Certificates

15.3.9. Step 9: Renewing the Certificate System Server Certificates

Renew the SSL server certificate for the 7.3 OCSP by doing the following:

NOTE

For more information on renewing subsystem server certificates, see Section 12.3, “Renewing a DRM, OCSP, or TKS SSL Server Certificate”.

  1. Start the OCSP Console. 

    pkiconsole https://server.example.com:11443/ocsp

  2. In the Certificate System Console, select the Configuration tab.

  3. Select the System Keys and Certificates option from the menu on the left.

  4. Select the Local Certificates tab on the right.

  5. Press the Add/Renew button to launch the Certificate Setup Wizard.

  6. Go through the panels in the wizard, and fill in the information as directed.

    1. In the Type of Operation panel, select the Request a certificate option (the default).

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu. An SSL server certificate request is generated which can be submitted to a CA for approval.

    3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires changing the CN component of its DN. Fill in information in the other fields on this panel as desired.

    4. The next panel is Subject Name for the SSL Certificate. For the CN component, enter server.example.com. Fill in information in the other fields on this panel as desired; it is strongly recommended that the O and C components be filled in.

    5. Click through the remaining panels in the Certificate Setup Wizard, and either fill in selected information or accept the defaults.

  7. Obtain the SSL server certificate request, and save it in a base-64 file.

  8. Submit the SSL server certificate request to a CA for approval.

  9. After the SSL server certificate is approved, relaunch the Certificate Setup Wizard by pressing the Add/Renew button.

  10. Go through the certificate wizard panels again, and supply the new certificate information as directed.

    1. In the Type of Operation panel, select the Install a certificate option.

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.

    3. Enter in the required information in the Location of Certificate panel.

    4. Click through the remaining panels in the Certificate Setup Wizard to install the renewed SSL server certificate is the OCSP instance.

  11. Close the Console windows.

  12. Restart the new Certificate System subsystem instance. 

    /etc/init.d/rhpki-ocsp start