Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
16.3. Renewing Subsystem Certificates
There are two methods of renewing a certificate. Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date. Re-keying a certificate resubmits the initial certificate request to the original profile, but generates a new key pair. Administrator certificates can be renewed by being re-keyed.
16.3.1. Re-keying Certificates in the End-Entities Forms
Copiar enlaceEnlace copiado en el portapapeles!
Subsystem certificates can be renewed directly in the end user enrollment forms, using the serial number of the original certificate.
- Renew the certificates in the CA's end-entities forms, as described in Section 5.5, “Renewing Certificates”. This requires the serial number of the subsystem certificate being renewed.
- Import the certificate into the subsystem's database, as described in Section 16.6.1, “Installing Certificates in the Certificate System Database”. The certificate can be imported using
certutilor the console. For example:certutil -A -n "ServerCert cert-example" -t u,u,u -d /var/lib/pki/instance_name/alias -a -i /tmp/example.cert
certutil -A -n "ServerCert cert-example" -t u,u,u -d /var/lib/pki/instance_name/alias -a -i /tmp/example.certCopy to Clipboard Copied! Toggle word wrap Toggle overflow
16.3.2. Renewing Certificates in the Console
Copiar enlaceEnlace copiado en el portapapeles!
The Java subsystems can renew any of their subsystem certificates through their administrative console. The process is exactly the same as requesting new subsystem certificates (Section 16.2, “Requesting Certificates through the Console”), with one crucial difference: renewal uses an existing key pair rather than generating a new one.
Figure 16.1. Renewing Subsystem Certificate
After renewing a certificate, then delete the original certificate from the database (Section 16.6.3, “Deleting Certificates from the Database”).
16.3.3. Renewing Certificates Using certutil
Copiar enlaceEnlace copiado en el portapapeles!
certutil can be used to generate a certificate request using an existing key pair in the certificate database. The new certificate request can then be submitted through the regular profile pages for the CA to issue a renewed certificate.
Note
Encryption and signing certificates are created in a single step. However, the renewal process only renews one certificate at a time.
To renew both certificates in a certificate pair, each one has to be renewed individually.
- Get the password for the token database.
cat /var/lib/pki/instance_name/conf/password.conf internal=263163888660
cat /var/lib/pki/instance_name/conf/password.conf internal=263163888660Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the certificate database directory of the instance whose certificate is being renewed.
cd /var/lib/pki/instance_name/alias
cd /var/lib/pki/instance_name/aliasCopy to Clipboard Copied! Toggle word wrap Toggle overflow - List the key and nickname for the certificate being renewed. In order to renew a certificate, the key pairs used to generate and the subject name given to the new certificate must be the same as the one in the old certificate.
certutil -K -d .
# certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 69481646e38a6154dc105960aa24ccf61309d37d caSigningCert cert-pki-tomcat CACopy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the
aliasdirectory as a backup, then delete the original certificate from the certificate database. For example:certutil -D -n "ServerCert cert-example" -d .
certutil -D -n "ServerCert cert-example" -d .Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
certutilcommand with the options set to the values in the existing certificate.certutil -d . -R -n "NSS Certificate DB:cert-pki-tomcat CA" -s "cn=CA Authority,o=Example Domain" -a -o example.req2.txt
certutil -d . -R -n "NSS Certificate DB:cert-pki-tomcat CA" -s "cn=CA Authority,o=Example Domain" -a -o example.req2.txtCopy to Clipboard Copied! Toggle word wrap Toggle overflow The difference between generating a new certificate and key pair and renewing the certificate is the value of the-noption. To generate an entirely new request and key pair, then-ksets the key type and is used with-g, which sets the bit length. For a renewal request, the-noption uses the certificate nickname to access the existing key pair stored in the security database.For further details about the parameters, see the certutil(1) man page. - Submit the certificate request and then retrieve it and install it, as described in Section 5.4, “Requesting and Receiving Certificates”.
16.3.4. Renewing System Certificates
Copiar enlaceEnlace copiado en el portapapeles!
Certificate System does not automatically renew system certificates online while the PKI server is running. However, if a system certificate expires, Certificate System will fail to start.
To renew system certificates:
- If the system certificate is expired:
- Create a temporary certificate:
pki-server cert-create sslserver --temp
# pki-server cert-create sslserver --tempCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Import the temporary certificate into Certificate System's Network Security Services (NSS) database:
pki-server cert-import sslserver
# pki-server cert-import sslserverCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Start Certificate System:
systemctl start pki-tomcatd@instance_name.service
# systemctl start pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Display the certificates and note the ID of the expired system certificate:
pki-server cert-find
# pki-server cert-findCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the new permanent certificate:
pki-server cert-create certificate_ID
# pki-server cert-create certificate_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Stop Certificate System:
systemctl stop pki-tomcatd@instance_name.service
# systemctl stop pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Import the new certificate to replace the expired certificate:
pki-server cert-import certificate_ID
# pki-server cert-import certificate_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Start Certificate System:
systemctl start pki-tomcatd@instance_name.service
# systemctl start pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}