-
Notifications
You must be signed in to change notification settings - Fork 137
PKI 10.3 Updating System Certificates
Endi S. Dewata edited this page May 19, 2021
·
1 revision
First, shutdown the server:
$ systemctl stop pki-tomcatd@pki-tomcat.service
Delete the old certificates with the following commands:
$ certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing $ certutil -D -d /var/lib/pki/pki-tomcat/alias -n sslserver $ certutil -D -d /var/lib/pki/pki-tomcat/alias -n subsystem $ certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing
Then import the renewed certificates:
$ certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing -i ca_ocsp_signing.crt -t "u,u,u" $ certutil -A -d /var/lib/pki/pki-tomcat/alias -n sslserver -i sslserver.crt -t "u,u,u" $ certutil -A -d /var/lib/pki/pki-tomcat/alias -n subsystem -i subsystem.crt -t "u,u,u" $ certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing -i ca_audit_signing.crt -t "u,u,Pu"
Also update the following lines in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg with the Base64-encoded data of the new certificates (without the header and footer):
ca.audit_signing.cert=... ca.ocsp_signing.cert=... ca.signing.cert=... ca.sslserver.cert=... ca.subsystem.cert=...
Finally, restart the server:
$ systemctl start pki-tomcatd@pki-tomcat.service
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |