1. Home
  2. MCP Operations Guide
  3. OpenStack operations
  4. Manage certificates
  5. Barbican certificates
  6. Renew Barbican administrator certificates

Renew Barbican administrator certificates

Renew Barbican administrator certificatesΒΆ

This section describes how to renew administrator certificates in the Barbican service with a configured Dogtag plugin.

Prerequisites:

  1. Log in to the OpenStack secrets storage node (kmn).

  2. Obtain the list of certificates:

    certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/

    Example of system response:

    Certificate Nickname   Trust Attributes
                       SSL,S/MIME,JAR/XPI
caadmin                u,u,u

  3. Note the nickname and attributes of the administrator certificate to renew:

    caadmin   u,u,u

  4. Review the certificate validity date and note its serial number:

    certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "caadmin" | egrep "Serial|Before|After"

    Example of system response:

    Serial Number: 6 (0x6)
    Not Before: Tue Apr 26 12:42:31 2022
    Not After : Mon Apr 15 12:42:31 2024

To renew the Barbican administrator certificate:

  1. Log in to the OpenStack secrets storage node (kmn).

  2. Obtain the profile template:

    pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml

  3. Edit the profile template and add the serial number of the certificate to renew to the highlighted lines of the below template:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <Attributes/>
    <ProfileID>caManualRenewal</ProfileID>
    <Renewal>true</Renewal>
    <SerialNumber>6</SerialNumber>           <!--Insert SerialNumber here-->
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>serialNumRenewInputImpl</ClassID>
        <Name>Serial Number of Certificate to Renew</Name>
        <Attribute name="serial_num">
            <Value>6</Value>           <!--Insert SerialNumber here-->
            <Descriptor>
                <Syntax>string</Syntax>
                <Description>Serial Number of Certificate to Renew</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

  4. Submit the request and note the request ID:

    pki ca-cert-request-submit caManualRenewal.xml

    Example of system response:

    -----------------------------
Submitted certificate request
-----------------------------
  Request ID: 9
  Type: renewal
  Request Status: pending
  Operation Result: success

  5. Using the password from /root/.dogtag/pki-tomcat/ca/password.conf, approve the request and note the ID of the new certificate:

    Note

    During the first run of a system with self-signed certificates you may get a warning informing of an untrusted issuer. In this case, proceed with importing the CA certificate and accept the default CA server URI.

    pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin ca-cert-request-review 9 --action approve

    Example of system response:

    -------------------------------
Approved certificate request 10
-------------------------------
  Request ID: 9
  Type: renewal
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x10

  6. Download the renewed certificate:

    pki ca-cert-show 0x10 --output ca_admin_new.crt

    Example of system response:

    ------------------
Certificate "0x10"
------------------
  Serial Number: 0x10
  Issuer: CN=CA Signing Certificate,O=EXAMPLE
  Subject: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
  Status: VALID
  Not Before: Tue Jun 14 12:24:14 UTC 2022
  Not After: Wed Jun 14 12:24:14 UTC 2023

  7. Add the renewed certificate to the caadmin and kraadmin users in the LADP database:

    pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin ca-user-cert-add --serial 0x10 caadmin
pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin kra-user-cert-add --serial 0x10 kraadmin

    Example of system response:

    -----------------------------------------------------------------------------------------------------------------
Added certificate "2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE"
-----------------------------------------------------------------------------------------------------------------
  Cert ID: 2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
  Version: 2
  Serial Number: 0x10
  Issuer: CN=CA Signing Certificate,O=EXAMPLE
  Subject: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE

  8. Verify that the new certificate is present in the system:

    ldapsearch -D "cn=Directory Manager" -b "dc=example,dc=com" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da "uid=caadmin"
ldapsearch -D "cn=Directory Manager" -b "o=pki-tomcat-KRA" -w rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da "uid=kraadmin"

    Example of system response:

    # extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=caadmin
# requesting: ALL
#

# caadmin, people, example.com
dn: uid=caadmin,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: caadmin
sn: caadmin
cn: caadmin
mail: caadmin@example.com
usertype: adminType
userstate: 1
userPassword:: e1NTSEF9QWY5Mys3a2ZHRUh0cHVyMnhVbDNPcVB2TGZoZHREd2Y3ejRhYnc9PQ=
 =
description: 2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=ca
 admin@example.com,O=EXAMPLE
description: 2;16;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=c
 aadmin@example.com,O=EXAMPLE
userCertificate:: MIIDnTCCAoWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdF
...
userCertificate:: MIIDnTCCAoWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdF
...

  9. Stop the pki-tomcatd service:

    systemctl stop pki-tomcatd

  10. Delete the old certificate using the nickname noted in the prerequisite steps:

    certutil -D -n "caadmin" -d /root/.dogtag/pki-tomcat/ca/alias/

  11. Import the renewed certificate using the attributes noted in the prerequisite steps:

    certutil -A -n "caadmin" -t u,u,u -d /root/.dogtag/pki-tomcat/ca/alias/ -a -i ca_admin_new.crt

  12. Start the pki-tomcatd service:

    systemctl start pki-tomcatd

  13. Verify the new certificate:

    certutil -L -d /root/.dogtag/pki-tomcat/ca/alias/ -n "caadmin" | egrep "Serial|Before|After"

    Example of system response:

    Serial Number: 16 (0x10)
    Not Before: Tue Jun 14 12:24:14 2022
    Not After : Wed Jun 14 12:24:14 2023

  14. Create new ca_admin_cert.p12 and kra_admin_cert.pem files:

    openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -passout pass:1234567 -nocerts -out passPrivateKey.pem
openssl rsa -in passPrivateKey.pem -out "privateKey.pem" -passin pass:1234567
openssl pkcs12 -export -in ca_admin_new.crt -inkey privateKey.pem -out ca_admin_new.p12 -clcerts -passout pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da
openssl pkcs12 -in ca_admin_new.p12 -passin pass:rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -out kra_admin_cert_new.pem -nodes

    You can change the passout and passin parameters for a stronger password pair.

  15. Update kra_admin_cert.pem in the barbican and dogtag folders:

    cp /etc/barbican/kra_admin_cert.pem ./kra_admin_cert_old.pem
cp kra_admin_cert_new.pem /etc/barbican/kra_admin_cert.pem
cp kra_admin_cert_new.pem /etc/dogtag/kra_admin_cert.pem
systemctl restart barbican-worker.service
systemctl restart apache2

Warning

Once you update the cerificate on the master node, replicate the changes to other nodes. To do so, transfer kra_admin_cert_new.pem from the master node to /etc/barbican/kra_admin_cert.pem on other nodes.

updated: 2024-05-28 08:26