This section describes how to renew system certificates in the Barbican service with a configured Dogtag plugin.
Prerequisites:
Log in to the OpenStack secrets storage node (kmn
).
Back up the pki-tomcat
configuration files:
/etc/pki/pki-tomcat/ca/CS.cfg
/etc/pki/pki-tomcat/kra/CS.cfg
Obtain the list of used certificates:
certutil -L -d /etc/pki/pki-tomcat/alias
Example of system response:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-tomcat CA u,u,u
subsystemCert cert-pki-tomcat u,u,u
storageCert cert-pki-tomcat KRA u,u,u
Server-Cert cert-pki-tomcat u,u,u
caSigningCert cert-pki-tomcat CA CTu,Cu,Cu
auditSigningCert cert-pki-tomcat CA u,u,Pu
transportCert cert-pki-tomcat KRA u,u,u
auditSigningCert cert-pki-tomcat KRA u,u,Pu
Note
Server-Cert cert-pki-tomcat
certificates are unique for
each kmn
node.
To obtain the serial numbers of these certificates, run the following command on the Salt master node:
salt 'kmn*' cmd.run "certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-tomcat' | egrep 'Serial|Before|After'"
Example of system response:
kmn01.dogtag.local:
Serial Number: 3 (0x3)
Not Before: Mon Dec 19 16:57:18 2022
Not After : Sun Dec 08 16:57:18 2024
kmn02.dogtag.local:
Serial Number: 11 (0xb)
Not Before: Mon Dec 19 17:02:39 2022
Not After : Sun Dec 08 17:02:39 2024
kmn03.dogtag.local:
Serial Number: 10 (0xa)
Not Before: Mon Dec 19 17:00:40 2022
Not After : Sun Dec 08 17:00:40 2024
Other certificates are the same for all servers:
ocspSigningCert cert-pki-tomcat CA
subsystemCert cert-pki-tomcat
storageCert cert-pki-tomcat KRA
caSigningCert cert-pki-tomcat CA
auditSigningCert cert-pki-tomcat CA
transportCert cert-pki-tomcat KRA
auditSigningCert cert-pki-tomcat KRA
Note the nickname and attributes of the certificate to renew:
transportCert cert-pki-tomcat KRA u,u,u
Review the certificate validity date and note its serial number:
certutil -L -d /etc/pki/pki-tomcat/alias -n "transportCert cert-pki-tomcat KRA" | egrep "Serial|Before|After"
Example of system response:
Serial Number: 7 (0x7)
Not Before: Tue Apr 26 12:42:31 2022
Not After : Mon Apr 15 12:42:31 2024
To renew the Barbican system certificate:
Log in to the OpenStack secrets storage node (kmn
).
Obtain the profile template:
pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml
Edit the profile template and add the serial number of the certificate to renew to the highlighted lines of the below template:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
<Attributes/>
<ProfileID>caManualRenewal</ProfileID>
<Renewal>true</Renewal>
<SerialNumber>6</SerialNumber> <!--Insert SerialNumber here-->
<RemoteHost></RemoteHost>
<RemoteAddress></RemoteAddress>
<Input id="i1">
<ClassID>serialNumRenewInputImpl</ClassID>
<Name>Serial Number of Certificate to Renew</Name>
<Attribute name="serial_num">
<Value>6</Value> <!--Insert SerialNumber here-->
<Descriptor>
<Syntax>string</Syntax>
<Description>Serial Number of Certificate to Renew</Description>
</Descriptor>
</Attribute>
</Input>
</CertEnrollmentRequest>
Submit the request and note the request ID:
pki ca-cert-request-submit caManualRenewal.xml
Example of system response:
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 16
Type: renewal
Request Status: pending
Operation Result: success
Using the password from /root/.dogtag/pki-tomcat/ca/password.conf
,
approve the request and note the new cerificate ID:
pki -d /root/.dogtag/pki-tomcat/ca/alias/ -c rCWuvkszR4tbiDmMHfpLqJDtVQbHP1da -n caadmin ca-cert-request-review 16 --action approve
Example of system response:
-------------------------------
Approved certificate request 16
-------------------------------
Request ID: 16
Type: renewal
Request Status: complete
Operation Result: success
Certificate ID: 0xf
Download the renewed certificate:
pki ca-cert-show 0xf --output kra_transport.crt
Example of system response:
-----------------
Certificate "0xf"
-----------------
Serial Number: 0xf
Issuer: CN=CA Signing Certificate,O=EXAMPLE
Subject: CN=DRM Transport Certificate,O=EXAMPLE
Status: VALID
Not Before: Fri Jun 10 13:11:50 UTC 2022
Not After: Thu May 30 13:11:50 UTC 2024
Note
You can also download an old certificate as a backup measure to revert the changes: pki ca-cert-show 0x7 --output kra_old_transport.crt
Stop the pki-tomcatd
service:
systemctl stop pki-tomcatd
Delete the old certificate using nickname noted in the prerequisite steps:
certutil -D -d /etc/pki/pki-tomcat/alias -n 'transportCert cert-pki-tomcat KRA'
Import the renewed certificate using the attributes noted in the prerequisite steps:
certutil -A -d /etc/pki/pki-tomcat/alias -n 'transportCert cert-pki-tomcat KRA' -i kra_transport.crt -t "u,u,u"
Update the certificate information in /etc/pki/pki-tomcat/kra/CS.cfg
with the base64-encoded data of the new certificate (without the header and
footer):
kra.transport.cert=MIIDdzCCAl+gAwIBAgIBDzANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdFWEFNUExFMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTIyMDYxMDEzMTE1MFoXDTI0MDUzMDEzMTE1MFowNjEQMA4GA1UECgwHRVhBTVBMRTEiMCAGA1UEAwwZRFJNIFRyYW5zcG9ydCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkh/JkTJpr+4uaz7fNgC7gD9vJCl670nYFqxCdwQWPzmXxg5lpJcM6L15C1cOH9ad8D2h8Dv4H8YknenK0GXrEoRrqAnG9nMHPEV1HTap9exOgZ4gk6aIanzEqqbun54mkAKF0LLmytcY5oyJLVoDpPVnkawLXdWyi7lUFEMnsILGH0kS0o8/9TPlP8HPXegHTAPMZWRHAVyDDJVmw/Qv8NB/oOFuWCZSDOItZQB44i7WgRIj6lPwCQoCZqdjRtq+bW9ITqZnXrFZmfFPfeh1NGiTnoE3aebm2FTCA5R9+9nsoQtAE6cdsmalua8+P0le2oGXbWED8meViYkAwLxYcCAwEAAaOBkjCBjzAfBgNVHSMEGDAWgBRBpHkrpV9RctaTblmz/H96WRecxDBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6Ly9rbW4wMS5ybC1kb2d0YWctMi5sb2NhbDo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCbzfQob6XsJYv3fDEytLH6mn7xBe1Z+U9qUE9V1GWNAeR8Q8cTSdroNS1VARiZwdOfJMnmryZ/WQJuafJTzwtlw1Ge7DaLa2xULGeHmUCfbV+GFSyiF8d90yBHYN6vGWqRVyEDQKegit0OG092bsxIHawPBGh2LabUPuoKmKuz2EzWRLmtOWgE8irHdG8kqsjXHlFpJWq/NNeqK5mohMJeDVzFevkJnj7lizY2F+UCfOs/JG1PZZEdgFoE4Un9VsOoUdWFsNwfRLUiAWzSQrHEm2FzqltTlEutI66PovwZMnqh9AGw67m8YLXDrIQqiAzvzF3YGsxeJvXi0VL8j64B
Note
When updating all certificates, update both the
/etc/pki/pki-tomcat/kra/CS.cfg
and
/etc/pki/pki-tomcat/ca/CS.cfg
files.
Examples of files containing data about the certificates:
/etc/pki/pki-tomcat/ca/CS.cfg
ca.subsystem.cert <- subsystemCert cert-pki-tomcat
ca.ocsp_signing.cert <- ocspSigningCert cert-pki-tomcat CA
ca.sslserver.cert <- Server-Cert cert-pki-tomcat (unique for each kmn server)
ca.signing.cert <- caSigningCert cert-pki-tomcat CA
ca.audit_signing.cert <- auditSigningCert cert-pki-tomcat CA
/etc/pki/pki-tomcat/kra/CS.cfg
kra.subsystem.cert <- subsystemCert cert-pki-tomcat
kra.storage.cert <- storageCert cert-pki-tomcat KRA
kra.sslserver.cert <- Server-Cert cert-pki-tomcat (unique for each kmn server)
kra.transport.cert <- transportCert cert-pki-tomcat KRA
kra.audit_signing.cert <- auditSigningCert cert-pki-tomcat KRA
If you are updating a transportCert cert-pki-tomcat KRA
certificate,
also update Barbican Network Security Services database (NSSDB):
certutil -L -d /etc/barbican/alias
certutil -L -d /etc/barbican/alias -n "KRA transport cert" | egrep "Serial|Before|After"
certutil -D -d /etc/barbican/alias -n 'KRA transport cert'
certutil -A -d /etc/barbican/alias -n 'KRA transport cert' -i kra_transport.crt -t ,,
Start the pki-tomcatd
service:
systemctl start pki-tomcatd
Verify that the new certificate is used:
certutil -L -d /etc/pki/pki-tomcat/alias -n "transportCert cert-pki-tomcat KRA" | egrep "Serial|Before|After"
certutil -L -d /etc/barbican/alias -n "KRA transport cert" | egrep "Serial|Before|After"
Replicate newly generated certificates to other nodes. If you have updated
the Server-Cert cert-pki-tomcat
certificates, verify that each
kmn
node has a unique updated certificate.
Upload the renewed certificates to the remaining kmn
nodes by repeating
steps 7-13.