000022744 - How to reissue LogServer and Xudad certificates with Keon Certificate Authority on Sun Solaris

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022744
Applies ToKeon Certificate Authority 6.x
Sun Solaris
IssueHow to reissue LogServer and Xudad certificates with Keon Certificate Authority on Sun Solaris
Unable to reissue LogServer and Xudad certificates with RSA Keon CA on Solaris. Server certificates (other than those for WebServer) cannot be re-issued by the CA.
The certificates (non WebServer) are not listed in the drop-down selection within KCA Administration - Administrator Operations Workbench - Internal Certificates.
CauseThis feature is documented within the RSA Keon CA Administration Guide on page 383 where non WebServer certificates cannot be re-issued if KCA has been installed as root.
ResolutionIt is briefly explained in the Keon Certificate Authority Administrator's Guide on page 323 that if you have installed onto Sun Solaris 7 or 8 as root, then these certificates (WebServer and Xudad) must be treated as external certificates.

Secure Log Signing Certificate (/LogServer\sign\certs\signing.cert):

As root, go to the <install-dir>/RSA_KeonCA/LogServer/sign/certs/ directory. Make a back up of the signing.cert file, e.g. cp signing.cert signing.cert.orig.

Make a note of the owner and group permissions of the signing.cert file then copy this file to the <install-dir>/RSA_KeonCA/WebServer/ssl/certs directory.

Go to the <install-dir>/RSA_KeonCA/WebServer/ssl/certs/ directory and change the owner and group of the signing.cert file to how it was in the original directory.

Now go back into Administrator Operations Workbench (you may need to refresh this page) and click on ReIssue under Server Certificates. You should now see the internal certificate for Secure Log Signing (WebServer/ssl/certs/signing.cert) in the list. Reissue this certificate as normal. Once the reissue of the certificate is completed, it will have made a backup of the original certificate (signing.cert.bak) within the directory.

Now MOVE the signing.cert file back to the original directory overwriting the original one. Once the file has been moved back to the <install-dir>/RSA_KeonCA/LogServer/sign/certs/ directory, check the permissions are correct.

You will need to stop and restart your Keon services: -

From the <install-dir>/RSA_KeonCA/ directory, run ./STOP and allow this to complete.

Run ./START from the same directory

Now follow this solution for the other certificates you need to renew.

Locations of LogServer and Xudad certificates signed by the CA:

Secure Log Signing Certificate: (/LogServer\sign\certs\signing.cert)
Directory: <install-dir>/RSA_KeonCA/LogServer/sign/certs/

Secure Log Server Certificate: (/Logserver\ssl\certs\server_ssl.cert)
Directory: <install-dir>/RSA_KeonCA/LogServer/ssl/certs/

Secure Directory Root Access: (/Xudad\ssl\certs\root.cert)
Directory: <install-dir>/RSA_KeonCA/Xudad/ssl/certs/

Secure Directory Server: (/Xudad\ssl\certs\ssl.cert)
Directory: <install-dir>/RSA_KeonCA/Xudad/ssl/certs/
Legacy Article IDa30090