000011898 - How to re-issue expired server certificates for Keon Certificate Authority?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011898
Applies ToKeon Certificate Authority 6.5.1
RSA Certificate Manager (RCM)
Microsoft Windows
IssueHow to re-issue expired server certificates for Keon Certificate Authority?
What are steps to re-sign the System CA if expired?
Unable to do administrative operations on the Keon Certificate Authority (KCA) admin interface
If KCA services are restarted, all services seem to start up except for the CMP Server
CauseThe KCA server certificates and the System CA/Administrative CA certificates have expired.  Here's a list of server certificates:

  CMPServer\ssl\certs\cmp.cert
  LogServer\sign\certs\signing.cert
  LogServer\ssl\certs\server_ssl.cert
  WebServer\ssl\certs\admin.cert
  WebServer\ssl\certs\adminServer.cert
  WebServer\ssl\certs\crl.cert
  WebServer\ssl\certs\crlServer.cert
  WebServer\ssl\certs\crsSigner.cert
  WebServer\ssl\certs\enroll.cert
  WebServer\ssl\certs\enrollServer.cert
  WebServer\ssl\certs\scep.cert
  WebServer\ssl\certs\scepServer.cert
  Xudad\ssl\certs\root.cert
  Xudad\ssl\certs\ssl.cert

NOTE: On Windows, any of the above certificates can be viewed by copying and renaming the .cert file as .cer (or .crt) and then double-clicking the file to open Windows Certificate Manager.
ResolutionSince no administrative operations can be done on the KCA admin interface, the system date (on KCA system and the browser system) must be rolled back temporarily to a date when the server certificates would be valid.  Once access to the KCA admin console is allowed, the server certificates can be renewed/re-issued.  Listed below are some guidelines to accomplish this:

Note for Linux/Solaris users:
Make sure that the following folders & files have proper permission/ownership, which should be the same as the user used to run the WebServer
- ./WebServer/ssl/extcerts
- ./CmpServer/ssl/certs/cmp.cert
- ./Xudad/ssl/certs/ssl.cert
- ./Xudad/ssl/certs/root.cert

1. Stop KCA services
2. Make a full backup of KCA installation (typically installed in the directory C:\Program Files\RSA Security\RSA_KeonCA)
3. Change system date back to a date when the server certificates were not expired
4. Start KCA services
5. From the KCA admin interface, view the System CA and the Administrative CA to see if their certificates have expired or about to expire soon.  If the System CA and Administrative CA certificates have not expired or not going to expire soon, skip to the next step #6.  Otherwise, follow the steps below to re-issue the CA certificates:
      5.1. KCA admin interface => CA Operations workbench => select the System CA from the drop down box and click 'view' option
      5.2. If System CA certificate needs to be renewed, click 'Re-sign' button under CA Operations section
      5.3. Ensure that the System CA is selected in the Issuer drop down box and the System CA jurisdiction is selected in the Jurisdiction drop down box, click 'Next' button
      5.4. Choose a new expiry date, click 'Next', and then follow any additional prompts to complete the re-issuing of System CA certificate
      5.5. If Administrative CA certificate needs to be renewed, follow steps 5.1 through 5.4 for the Administrative CA (ensure that System CA signs the new Administrative CA certificate)
      5.6. Restart KCA services

6. Re-issue KCA server certificates:
      6.1. KCA admin interface => Administrator Operations workbench => click 'Re-issue' link under Server Certificates
      6.2. Ensure that the System CA is selected in the Issuer drop down box and the System CA jurisdiction is selected in the Jurisdiction drop down box
      6.3. Ensure that Internal Certificates option is selected
      6.4. Select one certificate at a time from the drop down list against Internal Certificates option and click Next
      6.5. Choose a new expiry date (other entries on the page can remain unchanged), and click Next to complete the re-issuing of the server certificate
      6.6. Repeat steps 6.1 through 6.5 for the remaining server certificates, until all server certificates (listed above) have been renewed
7. If the System CA was NOT renewed in step 5, skip this step. If the System CA certificate was renewed in step 5, the new CA certificate must be updated in cas.cert:
      7.1. Go to the KCA admin interface => CA Operations workbench => select the System CA from the drop down box and click 'view' option => on the center of the page click 'view' link against 'Certificate (PEM format)' to open a new browser window with a PEM encoded System CA certificate, save this PEM encoded CA certificate in a temporary txt file or on the notepad
      7.2. Backup the file <KCA_INSTALL_DIR>\LogServer\ssl\certs\cas.cert and then open with a text editor, remove the old certificate and replace with the new System CA certificate saved in step 7.1
8. If the current administrator certificate (installed on the browser) has expired, you must also generate and install a new administrator certificate on the browser.
      8.1. Go to the KCA admin interface => Administrator Operations workbench => click on Administrator URLs in the Navigation panel on left => make a note of URL for your browser
      8.2. Open a new browser window and go to the URL copied in step 8.1 to submit a certificate request for administartor
      8.3. Go to the KCA admin interface => Administrator Operations workbench => select 'request-active' under Administrator => vet and issue the new administrator certificate
      8.4. Install the new administrator certificate in browser
9. Stop KCA services
10. Change system date back to the current date
11. Start KCA services
12. Test the KCA by making a test certificate request and approving the request from the KCA admin interface
Legacy Article IDa32616

Attachments

    Outcomes