-
Notifications
You must be signed in to change notification settings - Fork 148
Renewing Admin Certificate
Endi S. Dewata edited this page May 20, 2021
·
17 revisions
|
Warning
|
This document is still under construction. |
This document describes several procedures to renew PKI admin certificate.
|
Note
|
This procedure may require using Firefox earlier than version 69 that still supports <keygen>.
|
To renew the admin certificate using CMSGateway, configure the following parameter in /etc/pki/pki-tomcat/ca/CS.cfg:
cmsgateway.enableAdminEnroll=true
Restart the server, then follow the procedure at https://localhost.localdomain:8443/ca/admin/ca/adminEnroll.html.
|
Note
|
This procedure may require setting the system clock back to when the admin certificate was still valid. |
To renew the admin certificate and system certificates, execute the following command and provide the admin certificate serial number:
$ pki-server cert-fix \
--ldap-url ldap://localhost.localdomain \
--agent-uid caadmin \
--extra-cert <serial number>
If the DS connection was configured to use client certificate authentication, but the certificate has already expired, and the DS server is running locally, the command can be executed with LDAPI instead:
$ pki-server cert-fix \
--ldapi-socket /var/run/slapd-localhost.socket \
--agent-uid caadmin \
--extra-cert <serial number>
Then assign the new certificate to the admin user with the following command:
$ pki \
-U https://localhost.localdomain:8443 \
-d ~/.dogtag/nssdb \
-c Secret.123 \
-n caadmin \
ca-user-cert-add \
--input /etc/pki/pki-tomcat/certs/<serial number>-renewed.crt \
caadmin
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |