Overview#
This document describes the process to update system certificate cache in the PKI subsystem configuration file.
PKI server stores the system certificates in the following locations:
The certificate data is stored in the NSS database (i.e. /var/lib/pki//alias)
The certificate request is stored in the CA’s internal database (i.e. ou=requests,)
PKI server also stores a copy of the data and request in each subsystem’s configuration file (i.e. /var/lib/pki///conf/CS.cfg) as a cache:
The certificate data is stored in ..cert property
The certificate request is stored in ..certreq
Under some circumstances the certificate data and request cache need to be updated:
the system certificate is renewed
the configuration file is corrupted
Updating System Certificates Cache#
Using pki-server tool#
The pki-server tool must be run locally by the system administrator.
First, stop PKI server:
$ systemctl stop pki-tomcatd@pki-tomcat.service
Use the subsystem-find command to list subsystems installed on the machine:
$ pki-server subsystem-find
-----------------
2 entries matched
-----------------
Subsystem ID: ca
Instance ID: pki-tomcat
Enabled: True
Subsystem ID: kra
Instance ID: pki-tomcat
Enabled: True
Use the subsystem-cert-find command to list the system certificates in each subsystem:
$ pki-server subsystem-cert-find ca
-----------------
5 entries matched
-----------------
Cert ID: signing
Nickname: caSigningCert cert-pki-tomcat CA
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
Cert ID: ocsp_signing
Nickname: ocspSigningCert cert-pki-tomcat CA
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
Cert ID: sslserver
Nickname: Server-Cert cert-pki-tomcat
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
Cert ID: subsystem
Nickname: subsystemCert cert-pki-tomcat
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
Cert ID: audit_signing
Nickname: auditSigningCert cert-pki-tomcat CA
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
If any of the above certificate data or request is missing, use the subsystem-cert-update command to update the system certificate:
$ pki-server subsystem-cert-update ca signing
---------------------------------------
Updated "signing" subsystem certificate
---------------------------------------
Cert ID: signing
Nickname: caSigningCert cert-pki-tomcat CA
Token: Internal Key Storage Token
Certificate: <base-64 encoded certificate data>
Request: <base-64 encoded certificate request>
Finally, restart PKI server:
$ systemctl start pki-tomcatd@pki-tomcat.service
Manual process#
Getting system certificate list#
The list of system certificates can be obtained from the .cert.list property, for example:
ca.cert.list=transport,storage,sslserver,subsystem,audit_signing
Updating the certificate data#
Get the certificate nickname from ..nickname property.
Get the base-64 encoded certificate data from the NSS database:
$ certutil -L -d /var/lib/pki/<instance>/alias/ -n "caSigningCert cert-pki-tomcat CA" -r | base64
Store the base-64 encoded certificate data in the ..cert property.
Updating the certificate request#
Get the base-64 encoded certificate request from the LDAP database:
$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -t \
-b ou=requests,dc=ca,dc=example,dc=com "(extdata-origprofileid=<profile ID>)" extdata-cert--005frequest
Use the appropriate certificate profile ID:
signing: caCert
ocsp_signing: caOCSPCert
sslserver: serverCert
subsystem: subsystemCert
audit_signing: caAuditSigningCert
Store the base-64 encoded certificate request in the ..certreq property.