This section describes how to renew administrator certificates in the Barbican service with a configured Dogtag plugin.
Prerequisites:
Log in to the OpenStack secrets storage node (kmn
).
Obtain the list of certificates:
certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/
Example of system response:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caadmin u,u,u
Note the nickname and attributes of the administrator certificate to renew:
caadmin u,u,u
Review the certificate validity date and note its serial number:
certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "caadmin" | egrep "Serial|Before|After"
Example of system response:
Serial Number: 6 (0x6)
Not Before: Tue Apr 26 12:42:31 2022
Not After : Mon Apr 15 12:42:31 2024
To renew the Barbican administrator certificate:
Log in to the OpenStack secrets storage node (kmn
).
Obtain the profile template:
pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml
Edit the profile template and add the serial number of the certificate to renew to the highlighted lines of the below template:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
<Attributes/>
<ProfileID>caManualRenewal</ProfileID>
<Renewal>true</Renewal>
<SerialNumber>6</SerialNumber> <!--Insert SerialNumber here-->
<RemoteHost></RemoteHost>
<RemoteAddress></RemoteAddress>
<Input id="i1">
<ClassID>serialNumRenewInputImpl</ClassID>
<Name>Serial Number of Certificate to Renew</Name>
<Attribute name="serial_num">
<Value>6</Value> <!--Insert SerialNumber here-->
<Descriptor>
<Syntax>string</Syntax>
<Description>Serial Number of Certificate to Renew</Description>
</Descriptor>
</Attribute>
</Input>
</CertEnrollmentRequest>
Submit the request and note the request ID:
pki ca-cert-request-submit caManualRenewal.xml
Example of system response:
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 9
Type: renewal
Request Status: pending
Operation Result: success
Using the password from /root/.dogtag/pki-tomcat/ca/password.conf
,
approve the request and note the ID of the new certificate:
Note
During the first run of a system with self-signed certificates you may get a warning informing of an untrusted issuer. In this case, proceed with importing the CA certificate and accept the default CA server URI.
pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin ca-cert-request-review 9 --action approve
Example of system response:
-------------------------------
Approved certificate request 10
-------------------------------
Request ID: 9
Type: renewal
Request Status: complete
Operation Result: success
Certificate ID: 0x10
Download the renewed certificate:
pki ca-cert-show 0x10 --output ca_admin_new.crt
Example of system response:
------------------
Certificate "0x10"
------------------
Serial Number: 0x10
Issuer: CN=CA Signing Certificate,O=EXAMPLE
Subject: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
Status: VALID
Not Before: Tue Jun 14 12:24:14 UTC 2022
Not After: Wed Jun 14 12:24:14 UTC 2023
Add the renewed certificate to the caadmin
and kraadmin
users in the
LADP database:
pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin ca-user-cert-add --serial 0x10 caadmin
pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin kra-user-cert-add --serial 0x10 kraadmin
Example of system response:
-----------------------------------------------------------------------------------------------------------------
Added certificate "2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE"
-----------------------------------------------------------------------------------------------------------------
Cert ID: 2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
Version: 2
Serial Number: 0x10
Issuer: CN=CA Signing Certificate,O=EXAMPLE
Subject: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
Verify that the new certificate is present in the system:
ldapsearch -D "cn=Directory Manager" -b "dc=example,dc=com" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da "uid=caadmin"
ldapsearch -D "cn=Directory Manager" -b "o=pki-tomcat-KRA" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da "uid=kraadmin"
Example of system response:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=caadmin
# requesting: ALL
#
# caadmin, people, example.com
dn: uid=caadmin,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: caadmin
sn: caadmin
cn: caadmin
mail: caadmin@example.com
usertype: adminType
userstate: 1
userPassword:: e1NTSEF9QWY5Mys3a2ZHRUh0cHVyMnhVbDNPcVB2TGZoZHREd2Y3ejRhYnc9PQ=
=
description: 2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=ca
admin@example.com,O=EXAMPLE
description: 2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=c
aadmin@example.com,O=EXAMPLE
userCertificate:: MIIDnTCCAoWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdF
...
userCertificate:: MIIDnTCCAoWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdF
...
Stop the pki-tomcatd
service:
systemctl stop pki-tomcatd
Delete the old certificate using the nickname noted in the prerequisite steps:
certutil -D -n "caadmin" -d /root/.dogtag/pki-tomcat/ca/alias/
Import the renewed certificate using the attributes noted in the prerequisite steps:
certutil -A -n "caadmin" -t u,u,u -d /root/.dogtag/pki-tomcat/ca/alias/ -a -i ca_admin_new.crt
Start the pki-tomcatd
service:
systemctl start pki-tomcatd
Verify the new certificate:
certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "caadmin" | egrep "Serial|Before|After"
Example of system response:
Serial Number: 16 (0x10)
Not Before: Tue Jun 14 12:24:14 2022
Not After : Wed Jun 14 12:24:14 2023
Create new ca_admin_cert.p12
and kra_admin_cert.pem
files:
openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -passout pass:1234567 -nocerts -out passPrivateKey.pem
openssl rsa -in passPrivateKey.pem -out "privateKey.pem" -passin pass:1234567
openssl pkcs12 -export -in ca_admin_new.crt -inkey privateKey.pem -out ca_admin_new.p12 -clcerts -passout pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da
openssl pkcs12 -in ca_admin_new.p12 -passin pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -out kra_admin_cert_new.pem -nodes
You can change the passout
and passin
parameters for a stronger password pair.
Update kra_admin_cert.pem
in the barbican
and dogtag
folders:
cp /etc/barbican/kra_admin_cert.pem ./kra_admin_cert_old.pem
cp kra_admin_cert_new.pem /etc/barbican/kra_admin_cert.pem
cp kra_admin_cert_new.pem /etc/dogtag/kra_admin_cert.pem
systemctl restart barbican-worker.service
systemctl restart apache2
Warning
Once you update the cerificate on the master node, replicate the
changes to other nodes. To do so, transfer
kra_admin_cert_new.pem
from the master node to
/etc/barbican/kra_admin_cert.pem
on other nodes.