12.1. Renewing a CA SSL Server Certificate by Signing It with the CA Signing Certificate

Open the new Certificate System CA directory. For example:
```
cd /var/lib/rhpki-ca
```

Open the CA Console.

pkiconsole https://server.example.com:9443/ca

In the Console, select the Configuration tab.
Select the System Keys and Certificates option from the menu on the left.
Select the Local Certificates tab on the right.
Press the Add/Renew button to launch the Certificate Setup Wizard.
Follow the wizard prompts, and fill in the appropriate information.
1. In the Type of Operation panel, select the Request a certificate option (the default).
2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.
  
  Choose the Sign this SSL Certificate with my CA Signing Certificate option (the default). The SSL server certificate is automatically generated.
3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires changing the CN component of its DN.
  
  Fill in information in the other fields on this panel as necessary.
4. Select the desired hashing algorithm or use the default of SHA-1 in the Message Digest Algorithm panel.
5. The next panel is Subject Name for the SSL Certificate. For the CN component, enter the fully qualified domain name, such as zeta.example.com, of the new Certificate System CA instance machine. Fill in information in the other fields on this panel as necessary (it is strongly recommended that the O and C components be filled in).
6. For the rest of the panels in the wizard, click next, and either fill in the options as desired or accept all of the default settings.
7. The newly-migrated CA instance SSL server certificate is automatically renewed with the new server data.
Close the Console.
Restart the new Certificate System CA instance.
```
/etc/init.d/rhpki-ca restart
```