Skip to content

Certificate Renewal with Directory Authenticated Profile

Endi S. Dewata edited this page Aug 2, 2023 · 1 revision

Submitting Renewal Request

Execute the following command to submit the renewal request. It will prompt for the LDAP password:

$ pki -U https://$HOSTNAME:8443 -c Secret.123 -n testuser client-cert-request \
    --profile caDirUserRenewal --username testuser --password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 23
  Type: renewal
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x11

The certificate will be issued immediately.

Importing Renewed Certificate

Remove the old certificate from the client NSS database:

$ pki -c Secret.123 client-cert-del testuser
------------------------------
Removed certificate "testuser"
------------------------------

Import the new certificate into the client NSS database:

$ pki -c Secret.123 client-cert-import testuser --serial 0x11
-------------------------------
Imported certificate "testuser"
-------------------------------

Verify with the following command:

$ pki -c Secret.123 client-cert-find
----------------------
2 certificate(s) found
----------------------
  Serial Number: 0x1
  Nickname: CA Signing Certificate - EXAMPLE
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE

  Serial Number: 0x11
  Nickname: testuser
  Subject DN: UID=testuser,OU=People,DC=example,DC=com
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
----------------------------
Number of entries returned 2
----------------------------
Clone this wiki locally