<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> </head> <body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"> <div>Thanks. It worked. Btw, the profile name is caAdminCert for default PKI Administrator user (cadmic).</div> <div><br> </div> <div>Here’re the steps I followed to renew default PKI Administrator user:</div> <ol> <li>Disable the caAdminCert profile via the agent interface (caadmin uses Security Domain Administrator Certificate Enrollment profile)</li><li>Change the validity default parameter constraint for caAdminCert profile via PKIconsole</li><li>Enable the caAdminCert profile via the agent interface</li><li>Submit the certificate renewal request using 'Self-renew user SSL client certificates’ option via End Users interface</li></ol> <div>- Mahendra</div> <div><br> </div> <span id="OLK_SRC_BODY_SECTION"> <div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: </span>Nalinda Herath <<a href="mailto:nali.mrt@gmail.com">nali.mrt@gmail.com</a>><br> <span style="font-weight:bold">Date: </span>Monday, March 30, 2015 at 1:13 AM<br> <span style="font-weight:bold">To: </span>"Jain, Mahendra" <<a href="mailto:majain@verisign.com">majain@verisign.com</a>><br> <span style="font-weight:bold">Cc: </span>"<a href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>" <<a href="mailto:pki-users@redhat.com">pki-users@redhat.com</a>><br> <span style="font-weight:bold">Subject: </span>Re: [Pki-users] Renew PKI Administrator (caadmin) certificate<br> </div> <div><br> </div> <div> <div> <div dir="ltr"> <div class="gmail_default" style="font-family:courier new,monospace">For issuing the CA admin certificate, CA uses the dual-use user certificate profile. First disable that profile via the agent interface and login to the PKIconsole. Go to the causerCert profile (i cant remember the exact name) and change the validity default parameter constraint.<br> <br> </div> <div class="gmail_default" style="font-family:courier new,monospace">to renew, by default it should be within the renewal grace period.<br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Mon, Mar 30, 2015 at 7:11 AM, Jain, Mahendra <span dir="ltr"> <<a href="mailto:Majain@verisign.com" target="_blank">Majain@verisign.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"> <div>Correction: I meant, How can it be renewed for more than 2 years (say 5 years)?</div> <div><br> </div> <span> <div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"> <span style="font-weight:bold">From: </span><Jain>, "Jain, Mahendra" <<a href="mailto:majain@verisign.com" target="_blank">majain@verisign.com</a>><br> <span style="font-weight:bold">Date: </span>Sunday, March 29, 2015 at 9:07 PM<br> <span style="font-weight:bold">To: </span>"<a href="mailto:pki-users@redhat.com" target="_blank">pki-users@redhat.com</a>" <<a href="mailto:pki-users@redhat.com" target="_blank">pki-users@redhat.com</a>><br> <span style="font-weight:bold">Subject: </span>[Pki-users] Renew PKI Administrator (caadmin) certificate<br> </div> <div> <div> <div><br> </div> <div> <div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"> <div>Hello All,</div> <div><br> </div> <div>When I install the Dogtag Certificate System, the installation creates default PKI Administrator user (caadmin) and it’s certificate expires in 2 years.</div> <div>How do I renew the certificate for the PKI Administrator user?</div> <div><br> </div> <div>Thanks,</div> <div>Mahendra </div> <h5><font color="gray">“This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.” </font></h5> <font color="gray"></font></div> </div> </div> </div> </span></div> <br> _______________________________________________<br> Pki-users mailing list<br> <a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br> </blockquote> </div> <br> <br clear="all"> <br> -- <br> <div><font face="georgia,serif"><font size="1">Best Regards,</font><br> Nalinda<br> </font><br> </div> </div> </div> </div> </div> </span> </body> </html>