12.3. Renewing a DRM, OCSP, or TKS SSL Server Certificate

12.3. Renewing a DRM, OCSP, or TKS SSL Server Certificate

  1. Open the subsystem instance's administrative console. For example, for the DRM subsystem:

    pkiconsole https://server.example.com:10043/kra

  2. Select the newly-imported Certificate System instance, and log into the Console for the instance.

  3. In the Console, select the Configuration tab.

  4. Select the System Keys and Certificates option from the menu on the left.

  5. Select the Local Certificates tab on the right.

  6. Click the Add/Renew button to launch the Certificate Setup Wizard.

    1. In the Type of Operation panel, select the Request a certificate option (the default).

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu. An SSL server certificate request is generated, which can be submitted to a CA for approval.

    3. In the Key-Pair Information for the SSL Server Certificate, select Create new key pair since the renewed SSL server certificate requires a change to the CN component of its DN. Fill in information in the other fields.

    4. The next panel is Subject Name for the SSL Certificate. For the CN component, enter the fully qualified domain name of the Certificate System subsystem machine, such as omega.example.com. Fill in information in the other fields on this panel; it is strongly recommended that the O and C components also be filled in.

    5. Click through the remaining panels in the Certificate Setup Wizard.

  7. Obtain the SSL server certificate request, and store it in a base-64 file.

  8. Submit the SSL server certificate request to a CA, and wait for approval of the request.

  9. After the SSL server certificate is approved, click the Add/Renew button to relaunch the Certificate Setup Wizard.

    1. In the Type of Operation panel, select the Install a certificate option.

    2. In the Certificate Selection panel, select SSL Server Certificate from the pull-down menu.

    3. Set the location information in the Location of Certificate if required.

    4. Click through the remaining panels in the Certificate Setup Wizard to install the renewed SSL server certificate for the migrated Certificate System subsystem instance.

  10. Close the Console windows.

  11. Restart the Certificate System subsystem instance.

    /etc/init.d/rhpki-kra restart