Offline System Certificate Renewal

From Dogtag
Jump to: navigation, search


PKI server provides a mechanism to recover from expired system certificates. See the design document. This mechanism can also be used to renew the certificates before they expire.

  1. Automated Renewal Process (Uses PKI online renewal tool)
  2. Manual Renewal Process

It is assumed that you have the following:

  • Valid CA signing cert
  • Valid admin cert
  • PKI server is currently down

To verify these assumptions:

1. List details of all system certificates. (Note down the <cert ID> of the certs that needs to be renewed)

$ pki-server cert-find

2. Check details of admin cert

$ certutil -L \
-d <client NSS DB dir> \
-n <admin cert nickname>

3. Check status of PKI server

$ systemctl status pki-tomcatd@pki-tomcat

See also PKI Server Certificate CLI.

Automated Renewal Process (Work in progress)

One line tool that fixes all certificates:

$ pki-server cert-fix --all \
-n <admin nickname> \
-d <NSS db path> \
-c <NSS client DB password>

One line tool to fix one particular certificate: (Requires further discussion with developers)

$ pki-server cert-fix --cert <cert ID> \
-n <admin nickname> \
-d <NSS db path> \
-c <NSS client DB password>

Manual Renewal Process


It is recommended to run the following steps to ensure that CS.cfg and NSS db are synchronized and that the server can operate without any issues.

1. Disable self tests. Remove the following line from CS.cfg for the <subsystem> you are renewing. The CS.cfg is located in /etc/pki/pki-tomcat/<subsystem>/CS.cfg

selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical


Use the built-in tool:

$ pki-server selftest-disable -i <instance_name>

2. Synchronize NSS DB and CS.cfg

$ pki-server cert-update <cert ID> # for all system certificates that is to be renewed

Bringing up the PKI server

1. Create temp SSL certificate

$ pki-server cert-create sslserver --temp

2. Import temp SSL certificate created in previous step

$ pki-server cert-import sslserver

3. Start server

$ systemctl start pki-tomcatd@pki-tomcat

System Certificate Renewal

1. Renew required system certs using PKI tool:

$ pki-server cert-create <cert ID> --renew \
-n <admin nickname> \
-d <NSS db path> \
-c <NSS client DB password>


using 3rd party tool (like certmonger). Skip to step #4 after this step, if using this option.

$ getcert list
$ getcert resubmit -i <id> # Get the ID of the tracked cert from the previous command

2. Stop server to update PKI server instance to use latest renewed certs

$ systemctl stop pki-tomcatd@pki-tomcat

3. Import the renewed permanent certs into NSS db and update corresponding CS.cfg files

$ pki-server cert-import <cert ID>

4. Enable the self test. Add the following highlighted line CS.cfg of the corresponding subsystem
selftests.container.order.onDemand=CAPresence:critical, SystemCertsVerification:critical, CAValidity:critical
selftests.container.order.startup=CAPresence:critical, SystemCertsVerification:critical


Work in progress:

$ pki-server selftest-enable

5. Start server with new renewed system certificates.

$ systemctl start pki-tomcatd@pki-tomcat