Renewing Admin Certificate with RSNv3
This page describes the process to renew the admin certificate with RSNv3. Unlike the legacy number generator, RSNv3 does not require the server to be running.
Notes:
-
This procedure can only be executed locally by the system administrator.
-
This procedure will work even if the admin certificate or the admin password no longer works.
-
This procedure does not require the server to be running.
-
This procedure does not require resetting the system clock.
-
This procedure does not generate audit logs.
Availability: Since PKI 11.5
-
CA must be configured with RSNv3.
To find the existing certificate in the admin user record:
$ pki-server ca-user-cert-find caadmin
To remove the certificate from the admin user record:
$ pki-server ca-user-cert-del caadmin <cert ID>
To find the existing certificate in PKI CLI:
$ pki nss-cert-find
To remove the certificate and its key from PKI CLI:
$ certutil -F -d ~/.dogtag/nssdb -n caadmin
To generate a admin certificate request:
$ pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr admin.csr
To import the certificate request into CA database:
$ pki-server ca-cert-request-import \
--csr admin.csr \
--profile adminCert.profile
It should generate a new request ID.
To issue a new certificate:
$ pki-server ca-cert-create \
--request <request ID> \
--profile adminCert.profile \
--type local \
> admin.crt
To import the new certificate into CA database:
$ pki-server ca-cert-import \
--cert admin.crt \
--profile adminCert.profile \
--request <request ID>
To import the new certificate to the admin user record:
$ cat admin.crt | pki-server ca-user-cert-add caadmin
To import the new certificate into PKI CLI:
$ pki nss-cert-import caadmin --cert admin.crt
The new certificate can be used as follows:
$ pki -n caadmin ca-user-find
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |