16.4. Changing the Names of Subsystem Certificates

One alternative to renewing certificates is replacing them with new certificates, meaning that a new certificate is generated with new keys. Generally, a new certificate can be added to the database and the old one deleted, a simple one-to-one swap. This is possible because the individual subsystem servers identify certificates based on their nickname; as long as the certificate nickname remains the same, the server can find the required certificate even if other factors — like the subject name, serial number, or key — are different.

However, in some situations, the new certificate may have a new certificate nickname, as well. In that case, the certificate nickname needs to be updated in all of the required settings in the subsystem's CS.cfg configuration file.

Important

Always restart a subsystem after editing the CS.cfg file.

These tables list all of the configuration parameters for each of the subsystem's certificates:

Table 16.3. CA Certificate Nickname Parameters

CA Signing Certificate	ca.cert.signing.nickname ca.signing.cacertnickname ca.signing.certnickname ca.signing.nickname cloning.signing.nickname
OCSP Signing Certificate	ca.ocsp_signing.cacertnickname ca.ocsp_signing.certnickname ca.cert.ocsp_signing.nickname ca.ocsp_signing.nickname cloning.ocsp_signing.nickname
Subsystem Certificate	ca.cert.subsystem.nickname ca.subsystem.nickname cloning.subsystem.nickname pkiremove.cert.subsystem.nickname
Server Certificate	ca.sslserver.nickname ca.cert.sslserver.nickname
Audit Signing Certificate	ca.audit_signing.nickname ca.cert.audit_signing.nickname cloning.audit_signing.nickname

Table 16.4. KRA Certificate Nickname Parameters

Transport Certificate	cloning.transport.nickname kra.cert.transport.nickname kra.transport.nickname tks.kra_transport_cert_nickname Note that this parameter is in the TKS configuration file. This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.
Storage Certificate	cloning.storage.nickname kra.storage.nickname kra.cert.storage.nickname
Server Certificate	kra.cert.sslserver.nickname kra.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname kra.cert.subsystem.nickname kra.subsystem.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	cloning.audit_signing.nickname kra.cert.audit_signing.nickname kra.audit_signing.nickname

Table 16.5. OCSP Certificate Nickname Parameters

OCSP Signing Certificate	cloning.signing.nickname ocsp.signing.certnickname ocsp.signing.cacertnickname ocsp.signing.nickname
Server Certificate	ocsp.cert.sslserver.nickname ocsp.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname ocsp.subsystem.nickname ocsp.cert.subsystem.nickname pkiremove.cert.subsystem
Audit Log Signing Certificate	cloning.audit_signing.nickname ocsp.audit_signing.nickname ocsp.cert.audit_signing.nickname

Table 16.6. TKS Certificate Nickname Parameters

KRA Transport Certificate^[a]	tks.kra_transport_cert_nickname
Server Certificate	tks.cert.sslserver.nickname tks.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname tks.cert.subsystem.nickname tks.subsystem.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	cloning.audit_signing.nickname tks.audit_signing.nickname tks.cert.audit_signing.nickname
^[a] This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.

Table 16.7. TPS Nickname Parameters in CS.cfg

Server Certificate	tps.cert.sslserver.nickname
Subsystem Certificate	tps.cert.subsystem.nickname selftests.plugin.TPSValidity.nickname selftests.plugin.TPSPresence.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	tps.cert.audit_signing.nickname

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

16.4. Changing the Names of Subsystem Certificates

Where did the comment section go?