17.3 Renewing a Certificate

The Certificate Details page lists the properties of a certificate, such as certificate type, name, subject, and assigned keystores. This page also includes the original CSR when the certificate is still in a pending state (for example, you have generated the CSR, but you have not yet received and imported the signed certificate). If the certificate is expiring, you can cut and paste its text to send it to the CA to get a renewed certificate, then import the newly signed certificate.

For the certificates that Access Manager uses internally, a certificate process is started with Tomcat. This process runs once every 24 hours. It checks all the internal certificates and determines if they are going to expire within 30 days. If they are due to expire, the process automatically regenerates the certificate or trusted root. When a certificate is regenerated, the following message appears:

One or more automatically created certificates were regenerated. Reboot the entire administration console as soon as possible to avoid interruption of service.

This message appears when the administrator logs in to Administration Console, or if the administrator is already logged in, when the administrator switches from one page to another.

This event is also auditing. Another audit event is also generated which tells the administrator to restart any effected services. When Administration Console certificate and the eDirectory certificates are expiring, a log entry is written to the app_sc log file. The log entry contains the “Recreating auto-generated certificates” string as well as a couple success or failure messages per key re-generated.

Certificates and trusted roots that are manually created with the Access Manager CA or are imported into Administration Console use a different process. The administrator is warned that these certificates are expiring when the administrator logs in to Administration Console. The following message is displayed:

Warning: the following certificates are expired or will expire within X days: <certA>, <certB>.

This message is displayed each time an administrator logs in to Administration Console. Events for the expiration of these certificates are not audited and are not logged.

The following figure illustrates the certificate chain example:

Figure 17-1 Illustration of a Certificate Chain Example

To renew a certificate:

  1. Click Security > Certificates.

  2. Click the certificate name.

  3. Click Renew.

  4. On the Renew page, either browse to locate and select the certificate or select the Certificate data text (PCM/Base64) option and paste the certificate data into the text box.

  5. To import the CA chain, click Add trusted root and then locate the Root certificate data.

  6. Update the device using the certificate.

  7. Click Add intermediate certificate if you need to continue adding certificates to the chain for example, add Intermediate cert 1 and cert 2 in that order.

  8. Click OK, then click Close.