[Pki-users] How to renew CA root signing certificate?
Matt Magoffin
redhat.com at msqr.us
Wed May 6 08:35:49 UTC 2020
Hello,
I have a Dogtag 10.0 CA system where the root self-signed certificate is set to expire next year. I plan to upgrade to Dogtag 10.7, but after that it is not clear to me what procedure I should follow to renew the root signing certificate.
I understand the general process for renewing system certificates as outlined here:
https://www.dogtagpki.org/wiki/System_Certificate_Renewal <https://www.dogtagpki.org/wiki/System_Certificate_Renewal>
However the examples there are all for system certificates other than the root certificate, so I wanted to be clear on the steps needed.
In my testing, I found that I can renew & approve the root signing certificate as documented:
$ pki ca-cert-request-submit --profile caManualRenewal --serial 0x1 —renewal
If I use the web GUI’s “Bypass CA notAfter constraint” option to approve the request I can get the expiration date of the approved certificate set to the distant future. Is there a way to do this with the pki command line tool? When I tried, the expiration date gets capped to the current CA root certificate’s expiration date.
Then, assuming that approved root certificate is what I need, do I just run
$ systemctl stop pki-tomcatd at pki-tomcat.service
$ pki-server subsystem-cert-update ca <nickname> —cert <renewed-cert-file>
$ systemctl start pki-tomcatd at pki-tomcat.service <mailto:pki-tomcatd at pki-tomcat.service>
And then will I be able to renew the other system certificates normally later (before they expire)?
Thanks for any advice,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20200506/7c2d68ad/attachment.htm>
More information about the Pki-users
mailing list