|Applies To||Keon Certificate Authority OneStep 6.5.1|
Sun Solaris 2.8
|Issue||How to re-sign RSA Keon Certificate Authority OneStep SSL certificates|
RSA Keon Certificate Authority OneStep SSL certificate expired
|Resolution||Currently, RSA Keon Certificate Authority does not have an automated way of renewing the OneStep SSL certificate. To request and retrieve a new OneStep SSL certificate (to replace the old expired one), follow the steps below:|
1. Update the request date in the OneStep/setup/setupSSL.conf file. The request-source parameter (ssl-RS) used to identify the request at the Keon CA installation must be unique for each request, and should have the following format:
Also, the request-source parameter must begin with RSAKeonOneStep, such as:
2. Rename the existing OneStep/ssl/private/onestep.key and OneStep/ssl/certs/onestep.cert files
3. Use the setupSSL command-line tool to create a new public/private keypair and request a new SSL certificate from the Keon CA installation. Do so by executing the following command from the OneStep/setup directory:
setupSSL -d2 -request setupSSL.conf
The setupSSL tool will create a new OneStep/ssl/private/onestep.key file and send the request for SSL certificate to the Keon CA installation.
If previously you uncommented the ssl-cryptoType parameter to use a hardware private key, use the -p option to specify a passphrase (do not use spaces, tabs, or other white space characters in the passphrase):
setupSSL -d2 -request -p <passphrase> setupSSL.conf
4. From the Keon CA Administrative Interface, have the Keon CA administrator approve OneStep certificate request from the request active list in the Installation field of the Administrator Operations Workbench. The administrator must select the correct Jurisdiction (the one under which OneStep issue certificates) to apply the LDAP ACL rule changes.
5. Use the setupSSL tool to retrieve the certificate from the Keon CA installation by executing the following command from the OneStep/setup directory:
setupSSL -d2 -retrieve setupSSL.conf
It is not necessary to provide the passphrase for the retrieval of the certificate.
6. Restart the Keon CA services
|Legacy Article ID||a28980|