Skip to content

Renewing OCSP Signing Certificate

Endi S. Dewata edited this page Oct 30, 2023 · 4 revisions

Overview

This page describes the process to renew an OCSP signing certificate for a PKI server.

Checking Current Certificate

To check the current OCSP signing certificate:

$ pki-server cert-show ca_ocsp_signing
  Cert ID: ocsp_signing
  Nickname: ca_ocsp_signing
  Token: internal
  Serial Number: 0x725cc479e26dfa1f51bff30b58f413fd
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Oct 25 15:39:32 2023
  Not Valid After: Tue Oct 14 15:39:32 2025
  Trust Flags: u,u,u

Renewal Procedure

To renew the OCSP signing certificate, submit a renewal request to the CA by executing the following command:

$ pki ca-cert-request-submit \
    --profile caManualRenewal \
    --serial 0x725cc479e26dfa1f51bff30b58f413fd \
    --renewal
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 0x87098848220222993a06cc71dea5598
  Type: renewal
  Request Status: pending
  Operation Result: success
  Creation Time: Mon Oct 30 09:50:32 CDT 2023
  Modification Time: Mon Oct 30 09:50:32 CDT 2023

Next, as a CA admin/agent approve the renewal request:

$ pki <authentication> ca-cert-request-approve 0x87098848220222993a06cc71dea5598 --force
--------------------------------------------------------------
Approved certificate request 0x87098848220222993a06cc71dea5598
--------------------------------------------------------------
  Request ID: 0x87098848220222993a06cc71dea5598
  Type: renewal
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xebc69a16361be890e0d035ca08ebae4c
  Creation Time: Mon Oct 30 09:50:32 CDT 2023
  Modification Time: Mon Oct 30 09:51:06 CDT 2023

The CA admin/agent can authenticate using a client certificate or a username and password. If necessary, the password can be reset by the system administrator.

Next, retrieve the new certificate from the CA:

$ pki ca-cert-export 0xebc69a16361be890e0d035ca08ebae4c --output-file ca_ocsp_signing.crt

Delete the current certificate from the server’s NSS database:

$ pki-server cert-del ca_ocsp_signing

Then import the new certificate into the NSS database:

$ pki-server cert-import ca_ocsp_signing --input ca_ocsp_signing.crt

Verify the new certificate with the following command:

$ pki-server cert-show ca_ocsp_signing
  Cert ID: ocsp_signing
  Nickname: ca_ocsp_signing
  Token: internal
  Serial Number: 0xebc69a16361be890e0d035ca08ebae4c
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Mon Oct 30 09:50:32 2023
  Not Valid After: Sun Oct 19 09:50:32 2025
  Trust Flags: u,u,u

See Also

Clone this wiki locally