12.2. Renewing a CA SSL Server Certificate by Issuing an SSL Server Certificate Request

12.2. Renewing a CA SSL Server Certificate by Issuing an SSL Server Certificate Request

NOTE

Only renew a certificate this way if the SSL server certificate request will not be signed with the existing CA's signing certificate. For this type of renewal, the request is submitted to another CA for signing.

  1. Start the CA Console. 

    pkiconsole https://server.example.com:9443/ca

  2. Select the newly-imported Certificate System instance, and open the Console for that instance.

  3. In the Certificate System Console, select the Configuration tab.

  4. In the left menu, select the Keys and Certificates option.

  5. Select the Local Certificates tab on the right.

  6. Press the Add/Renew button to launch the Certificate Setup Wizard.

  7. Go through the screens in the wizard to renew the certificate.

    1. In the Type of Operation panel, select the Request a Certificate option (the default).

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu, and choose the Create a request for submission to another CA option. An SSL server certificate request is generated to submit to a CA for approval.

    3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires a change to the CN component of the DN. Fill in information in the other fields on this panel.

    4. The next panel is Subject Name for the SSL Certificate. For the CN component, enter the fully qualified domain name of the new Certificate System CA instance machine, such as omega.example.com. Fill in information in the other fields on this panel; it is strongly recommended that the O and C components also be filled in.

    5. Go through the remaining panels in the Certificate Setup Wizard, and fill in the different fields or use the defaults.

  8. Obtain the SSL server certificate request and store it in a base-64 file.

  9. Submit the SSL server certificate request to a CA and wait for approval of the request.

  10. Once the SSL server certificate has been approved, press the Add/Renew button to relaunch the Certificate Setup Wizard.

    1. In the Type of Operation panel, select the Install a certificate option.

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.

    3. Enter in any necessary information in the Location of Certificate panel.

    4. Go through the remaining panels in the Certificate Setup Wizard to install the updated SSL server certificate.

  11. Close the Console.

  12. Restart the Certificate System CA instance. 

    /etc/init.d/rhpki-ca restart