Updating system certificate cache in PKI server
Overview
PKI server stores a copy of the system certificates in each subsystem as a cache. The cache might become outdated or missing under certain circumstances (BZ#1258630). This article describes the process to check and update the cache.
Checking system certificate cache
Use the following command to list instances installed on the system:
$ pki-server instance-find ----------------- 1 entries matched ----------------- Instance ID: pki-tomcat Active: True
Use the following command to list subsystems installed in the instance:
$ pki-server subsystem-find -i pki-tomcat ----------------- 2 entries matched ----------------- Subsystem ID: ca Instance ID: pki-tomcat Enabled: True Subsystem ID: kra Instance ID: pki-tomcat Enabled: True
Use the following command to list system certificates in the subsystem:
$ pki-server subsystem-cert-find -i pki-tomcat ca ----------------- 5 entries matched ----------------- Cert ID: signing Nickname: caSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request> Cert ID: ocsp_signing Nickname: ocspSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request> Cert ID: sslserver Nickname: Server-Cert cert-pki-tomcat Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request> Cert ID: subsystem Nickname: subsystemCert cert-pki-tomcat Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request> Cert ID: audit_signing Nickname: auditSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request>
Check the Certificate and Request fields. If any of these fields is outdated (e.g. due to renewal) or missing (e.g. due to corruption), the cache should be updated.
Updating system certificate cache
To update the system certificate cache, disable the subsystem with the following command:
$ pki-server subsystem-disable -i pki-tomcat ca
Then update all system certificates that are outdated or missing with the following command:
$ pki-server subsystem-cert-update -i pki-tomcat ca signing --------------------------------------- Updated "signing" subsystem certificate --------------------------------------- Cert ID: signing Nickname: caSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Certificate: <base-64 encoded certificate data> Request: <base-64 encoded certificate request>
Finally, re-enable the subsystem with the following command:
$ pki-server subsystem-enable -i pki-tomcat ca
Comments