Overview
In my previous post we detailed installing the Dogtag Certificate System as a subordinate CA with an External CA Signing Certificate. I will be referring to that post at various points so it would pay to have a quick read before continuing: CentOS 7 Dogtag Certificate System Install
Today we will will be renewing the Dogtag system certificates and the PKI Administrator certificate for a subCA setup.
Dogtag Server
- CentOS 7.9.2009
- PKI 10.5.18
External CA
- Windows Server 2012 R2
Renewing CA Signing Certificate
I was able to source a copy of the original CSR (dogtag-server.csr) which is generated during phase 1 of the subCA installation two years ago which made renewing a simple task.
Alternatively you should be able to source the CSR from CS.cfg:
# (echo '-----BEGIN NEW CERTIFICATE REQUEST-----'; cat /etc/pki/pki-tomcat/ca/CS.cfg | awk -F'ca.signing.certreq=' '/ca.signing.certreq/ {print $2}'; echo '-----END NEW CERTIFICATE REQUEST-----') > dogtag-server.csrAs a last resort if ‘pki_backup_keys=True’ was configured during the initial install then you should be able to source the ‘CA Signing Certificate’ private key and create a new CSR with the same Subject “O=dogtag-server-ca, OU=pki-tomcat, CN=CA Signing Certificate”. The password you will need to extract the key will be in one of the files listed below. I have not tested this so let me know if it works.
# cat /root/.dogtag/pki-tomcat/ca/password.conf
# cat /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
# openssl pkcs12 -info -in /etc/pki/pki-tomcat/alias/ca_backup_keys.p12Get certificate Nickname
This is how to obtain the Nickname of the CA Signing certificate for the next step. You will repeat this for the remaining certificates later.
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-tomcat CA CTu,Cu,Cu
...Issue new certificate from external CA
Now we have our Certificate Signing Request let’s browse to the Certificate Authority Web Enrollment service webpage (https://<servername>/certsrv) that is hosted on the Windows 2012 R2 server and:
- Request a certificate
- Advanced certificate request
- Saved Request field: paste CSR contents
- Certificate Template: select Subordinate Certification Authority
- Submit
- Download DER encoded
- certificate (certnew.cer)
# openssl x509 -inform der -in certnew.cer -out certnew.crt
# systemctl stop [email protected]
# certutil -D -n "caSigningCert cert-pki-tomcat CA" -d /etc/pki/pki-tomcat/alias/
# certutil -A -n "caSigningCert cert-pki-tomcat CA" -t CTu,Cu,Cu -d /etc/pki/pki-tomcat/alias/ -a -i certnew.crt
# systemctl start [email protected]
# pki-server cert-findRenew other system certificates
Renew the remaining system certificates listed below:
- ca_audit_signing (auditSigningCert cert-pki-tomcat CA)
- ca_ocsp_signing (ocspSigningCert cert-pki-tomcat CA)
- sslserver (Server-Cert cert-pki-tomcat)
- subsystem (subsystemCert cert-pki-tomcat)
Browse to https://dogtag-server.domain.internal:8443/ and use the renewal template listed below to renew the certificates:
- Renewal: Renew certificate to be manually approved by agents (profileId=caManualRenewal)
For each certificate use the current serial number to renew, then approve the 4 requests from Agent Services (https://dogtag-server.domain.internal:8443/ca/agent/ca/) and copy the certificate hash to create the following files:
- ca_audit_signing.crt
- ca_ocsp_signing.crt
- sslserver.crt
- subsystem.crt
# systemctl stop [email protected]
# certutil -D -n "ocspSigningCert cert-pki-tomcat CA" -d /etc/pki/pki-tomcat/alias/
# certutil -A -n "ocspSigningCert cert-pki-tomcat CA" -t u,u,u -d /etc/pki/pki-tomcat/alias/ -a -i ca_ocsp_signing.crt
# certutil -D -n "Server-Cert cert-pki-tomcat" -d /etc/pki/pki-tomcat/alias/
# certutil -A -n "Server-Cert cert-pki-tomcat" -t u,u,u -d /etc/pki/pki-tomcat/alias/ -a -i sslserver.crt
# certutil -D -n "subsystemCert cert-pki-tomcat" -d /etc/pki/pki-tomcat/alias/
# certutil -A -n "subsystemCert cert-pki-tomcat" -t u,u,u -d /etc/pki/pki-tomcat/alias/ -a -i subsystem.crt
# certutil -D -n "auditSigningCert cert-pki-tomcat CA" -d /etc/pki/pki-tomcat/alias/
# certutil -A -n "auditSigningCert cert-pki-tomcat CA" -t u,u,Pu -d /etc/pki/pki-tomcat/alias/ -a -i ca_audit_signing.crt
# systemctl start [email protected]Update CS.cfg with new certificate hashes
If you examine the CS.cfg you will see the certificate hashes have all been saved in there.
To be honest I don’t know if the CS.cfg needs to be updated as the certificate renewal appeared to be successful without it in my testing. However in the end I decided to update the file but I could not find any documentation to support the need for it.
# systemctl stop [email protected]
# CERTHASH=$(cat certnew.crt | awk '!(/-----BEGIN CERTIFICATE-----/||/-----END CERTIFICATE-----/)' | tr -d '\n')
# sed -i "s|ca.signing.cert=.*|ca.signing.cert=$CERTHASH|" /etc/pki/pki-tomcat/ca/CS.cfg
# CERTHASH=$(cat ca_audit_signing.crt | awk '!(/-----BEGIN CERTIFICATE-----/||/-----END CERTIFICATE-----/)' | tr -d '\n')
# sed -i "s|ca.audit_signing.cert=.*|ca.audit_signing.cert=$CERTHASH|" /etc/pki/pki-tomcat/ca/CS.cfg
# CERTHASH=$(cat ca_ocsp_signing.crt | awk '!(/-----BEGIN CERTIFICATE-----/||/-----END CERTIFICATE-----/)' | tr -d '\n')
# sed -i "s|ca.ocsp_signing.cert=.*|ca.ocsp_signing.cert=$CERTHASH|" /etc/pki/pki-tomcat/ca/CS.cfg
# CERTHASH=$(cat sslserver.crt | awk '!(/-----BEGIN CERTIFICATE-----/||/-----END CERTIFICATE-----/)' | tr -d '\n')
# sed -i "s|ca.sslserver.cert=.*|ca.sslserver.cert=$CERTHASH|" /etc/pki/pki-tomcat/ca/CS.cfg
# CERTHASH=$(cat subsystem.crt | awk '!(/-----BEGIN CERTIFICATE-----/||/-----END CERTIFICATE-----/)' | tr -d '\n')
# sed -i "s|ca.subsystem.cert=.*|ca.subsystem.cert=$CERTHASH|" /etc/pki/pki-tomcat/ca/CS.cfg
# systemctl start [email protected]
# diff /etc/pki/pki-tomcat/ca/CS.cfg /etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20210416141231Renew PKI Administrator certificate
Browse to https://dogtag-server.domain.internal:8443/ and use the renewal template listed below to renew the certificate:
- Renewal: Renew certificate to be manually approved by agents (profileId=caManualRenewal)
Use the current serial number to renew, then approve the request from Agent Services (https://dogtag-server.domain.internal:8443/ca/agent/ca/) and and copy the certificate hash to create the following file:
- ca_admin_cert.crt
Extract the private key for use later and to check it is a match for the new certificate.
# openssl pkcs12 -info -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 Copy and paste the hash extracted above to ca_admin_cert.key and check for a match.
Note: The key hash will change every time the above command is run
# openssl x509 -noout -modulus -in ca_admin_cert.crt | openssl md5
# openssl rsa -noout -modulus -in ca_admin_cert.key | openssl md5List users and accept the CA chain.
# pki -d /root/.dogtag/pki-tomcat/ca/alias -c Password1 -n caadmin ca-user-findList certificates and note down the serial number for the PKI Adminstrator certificate for later.
# pki -d /root/.dogtag/pki-tomcat/ca/alias -c Password1 -n caadmin client-cert-findAdd renewed certificate using the serial number.
Note: Change 0x85c to match your certificate serial number
# openssl x509 -noout -text -in ca_admin_cert.crt | awk '/Serial/'
# pki -d /root/.dogtag/pki-tomcat/ca/alias -c Password1 -n caadmin ca-user-cert-add caadmin --serial 0x85cUpdate database.
# systemctl stop [email protected]
# certutil -D -n "caadmin" -d /root/.dogtag/pki-tomcat/ca/alias/
# certutil -A -n "caadmin" -t u,u,u -d /root/.dogtag/pki-tomcat/ca/alias/ -a -i ca_admin_cert.crt
# systemctl start [email protected]List the certificates again as above and you should note the serial number for the PKI Administrator certificate has been updated.
Create a new PKCS#12 copy to import into your browser.
# openssl pkcs12 -export -in ca_admin_cert.crt -inkey ca_admin_cert.key -out ca_admin_cert.p12 -clcerts -passin pass:Password1 -passout pass:Password1Open your browser and delete the previous certificate and import the new certificate. Instructions on this step can viewed here: CentOS 7 Dogtag Certificate System Install
Once you have confirmed the new PKI Administrator certificate is working successfully you should revoke the previous version to mitigate the possibility of a security breach with the old key.
Conclusion
That should be it. Please let me know in the comments if I have missed anything, there are any errors or there is a better way to do some of the steps.