Chapter 12. Step 9: Renewing Certificate System Server Certificates

Chapter 12. Step 9: Renewing Certificate System Server Certificates

12.1. Renewing a CA SSL Server Certificate by Signing It with the CA Signing Certificate
12.2. Renewing a CA SSL Server Certificate by Issuing an SSL Server Certificate Request
12.3. Renewing a DRM, OCSP, or TKS SSL Server Certificate

If the new Certificate System server is on a different machine than the old Certificate System, the SSL server certificate associated with each newly-migrated Certificate System server instance must be renewed.

There are three procedures to generate new server certificates, depending on the subsystem: generating self-signed CA server certificates; generating CA certificate requests which is signed by another CA; and generating DRM, OCSP, or TKS server certificates.

12.1. Renewing a CA SSL Server Certificate by Signing It with the CA Signing Certificate

  1. Open the new Certificate System CA directory. For example:

    cd /var/lib/rhpki-ca

  2. Open the CA Console.

    pkiconsole https://server.example.com:9443/ca

  3. In the Console, select the Configuration tab.

  4. Select the System Keys and Certificates option from the menu on the left.

  5. Select the Local Certificates tab on the right.

  6. Press the Add/Renew button to launch the Certificate Setup Wizard.

  7. Follow the wizard prompts, and fill in the appropriate information.

    1. In the Type of Operation panel, select the Request a certificate option (the default).

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.

      Choose the Sign this SSL Certificate with my CA Signing Certificate option (the default). The SSL server certificate is automatically generated.

    3. In the Key-Pair Information for the SSL Server Certificate panel, select Create new key pair since the renewed SSL server certificate requires changing the CN component of its DN.

      Fill in information in the other fields on this panel as necessary.

    4. Select the desired hashing algorithm or use the default of SHA-1 in the Message Digest Algorithm panel.

    5. The next panel is Subject Name for the SSL Certificate. For the CN component, enter the fully qualified domain name, such as zeta.example.com, of the new Certificate System CA instance machine. Fill in information in the other fields on this panel as necessary (it is strongly recommended that the O and C components be filled in).

    6. For the rest of the panels in the wizard, click next, and either fill in the options as desired or accept all of the default settings.

    7. The newly-migrated CA instance SSL server certificate is automatically renewed with the new server data.

  8. Close the Console.

  9. Restart the new Certificate System CA instance.

    /etc/init.d/rhpki-ca restart