000022524 - How to re-sign RSA Keon Certificate Authority OneStep SSL certificates

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022524
Applies ToKeon Certificate Authority OneStep 6.5.1
Sun Solaris 2.8
IssueHow to re-sign RSA Keon Certificate Authority OneStep SSL certificates
RSA Keon Certificate Authority OneStep SSL certificate expired
ResolutionCurrently, RSA Keon Certificate Authority does not have an automated way of renewing the OneStep SSL certificate. To request and retrieve a new OneStep SSL certificate (to replace the old expired one), follow the steps below:

1. Update the request date in the OneStep/setup/setupSSL.conf file. The request-source parameter (ssl-RS) used to identify the request at the Keon CA installation must be unique for each request, and should have the following format:

    RSAKeonOneStep:<client_hostname>:<server_hostname>[:date[,time]]

Also, the request-source parameter must begin with RSAKeonOneStep, such as:

    RSAKeonOneStep:webserver.domain.com:kca.domain.com:9/26/2001,15:54:29

2. Rename the existing OneStep/ssl/private/onestep.key and OneStep/ssl/certs/onestep.cert files

3. Use the setupSSL command-line tool to create a new public/private keypair and request a new SSL certificate from the Keon CA installation. Do so by executing the following command from the OneStep/setup directory:

    setupSSL -d2 -request setupSSL.conf

The setupSSL tool will create a new OneStep/ssl/private/onestep.key file and send the request for SSL certificate to the Keon CA installation.

If previously you uncommented the ssl-cryptoType parameter to use a hardware private key, use the -p option to specify a passphrase (do not use spaces, tabs, or other white space characters in the passphrase):

    setupSSL -d2 -request -p <passphrase> setupSSL.conf

4. From the Keon CA Administrative Interface, have the Keon CA administrator approve OneStep certificate request from the request active list in the Installation field of the Administrator Operations Workbench. The administrator must select the correct Jurisdiction (the one under which OneStep issue certificates) to apply the LDAP ACL rule changes.

5. Use the setupSSL tool to retrieve the certificate from the Keon CA installation by executing the following command from the OneStep/setup directory:

    setupSSL -d2 -retrieve setupSSL.conf

It is not necessary to provide the passphrase for the retrieval of the certificate.

6. Restart the Keon CA services
Legacy Article IDa28980

Attachments

    Outcomes