Solution
Registration Authority (RA) certificate's are valid for 365 days from the date it was issued. If an RA certificate is due to expire soon, enroll for a new RA certificate to continue to use Automated Administration without interruption.
To renew or replace the Registration Authority (RA) Certificate using the Software Signing option, perform the following steps:
- Stop the Automated Administration service
- From the Start menu, click Programs > Administrative Tools > Services.
- Right-click on Symantec Automated Administration Service and select Stop.
- Open the <AARoot>/signers/vsautoauth.conf file. Make a note of the Distinguished Name of the RA certificate about to expire. This is listed next to the most recent (uncommented) RA_dn parameter.
- Run the following command to create a new Certificate Signing Request (CSR) for the RA certificate. The resulting file (racert.req) contains a CSR in base64 format:
swkeygen -name <yourAdminName> -org <yourCompany> -division <yourDept> -locality <yourCompanyCity> -state <yourCompanyState> -country <yourCompanyCountry> >racert.req
Note: You can use the -policy <full path to your policy file> parameter instead of the -org <yourCompany> and -division <yourDept> parameters. The -policy parameter uses the organization name and division name in your Symantec policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.
-
- Except for the -name parameter, use the same information you used with your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today?s date).
- If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your swkeygen command must exactly match this information, including case, spaces, and punctuation.
- For country, use a two-character ISO country code, such as US
- To enter a parameter that contains a space character, use quotes to surround the string (for example, "New York")
- Go to the Automated Administration RA Enrollment page at https://onsite.verisign.com/OnSiteServiceEnrollRA.htm and paste the contents racert.req file into the CSR field. (Ensure your leave the default RA certificate delivery format as: X.509)
- Enter your Administrator's information and click Submit
- Contact the Symantec Authentication Services to have the request approved at 800-579-2848 / 650-426-3535 option 1,1
- Once Symantec Authentication Services has approved your request, you receive an e-mail response containing your RA certificate. Save the attached file as cert.509 in your signers directory. This will overwrite the existing cert.509 file, so you should make a back up of the existing file first.
- Delete the existing RA certificate from the certificate store by entering:
swimport -delete
You will be prompted to delete each certificate in the certificate store. Enter Y for only that certificate that matches the Distinguished Name obtained in Step 1. Enter N for all other certificates.
- Import the new RA certificate file to the certificate store by entering:
swimport -file cert.509 -509
- Using a text editor, ensure that <AARoot>/signers/vsautoauth.conf includes a reference to the Distinguished Name of your renewed RA Certificate.