Ask a Question

How to replace/renew a Registration Authority (RA) Certificate using the Software Signing option? (Pre-Managed PKI 6.x)


Registration Authority (RA) certificate's are valid for 365 days from the date it was issued. If an RA certificate is due to expire soon, enroll for a new RA certificate to continue to use Automated Administration without interruption.

To renew or replace the Registration Authority (RA) Certificate using the Software Signing option, perform the following steps:

  1. Stop the Automated Administration service

    • From the Start menu, click Programs > Administrative Tools > Services.
    • Right-click on Symantec Automated Administration Service and select Stop.
  2. Open the <AARoot>/signers/vsautoauth.conf file. Make a note of the Distinguished Name of the RA certificate about to expire. This is listed next to the most recent (uncommented) RA_dn parameter.
  3. Run the following command to create a new Certificate Signing Request (CSR) for the RA certificate. The resulting file (racert.req) contains a CSR in base64 format:

    swkeygen -name <yourAdminName> -org <yourCompany> -division <yourDept> -locality <yourCompanyCity> -state <yourCompanyState> -country <yourCompanyCountry> >racert.req

    Note: You can use the -policy <full path to your policy file> parameter instead of the -org <yourCompany> and -division <yourDept> parameters. The -policy parameter uses the organization name and division name in your Symantec policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.
    • Except for the -name parameter, use the same information you used with your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today?s date).
    • If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your swkeygen command must exactly match this information, including case, spaces, and punctuation.
    • For country, use a two-character ISO country code, such as US
    • To enter a parameter that contains a space character, use quotes to surround the string (for example, "New York")

  5. Go to the Automated Administration RA Enrollment page at and paste the contents racert.req file into the CSR field. (Ensure your leave the default RA certificate delivery format as: X.509)
  6. Enter your Administrator's information and click Submit
  7. Contact the Symantec Authentication Services to have the request approved at 800-579-2848 / 650-426-3535 option 1,1
  8. Once Symantec Authentication Services has approved your request, you receive an e-mail response containing your RA certificate. Save the attached file as cert.509 in your signers directory. This will overwrite the existing cert.509 file, so you should make a back up of the existing file first.
  9. Delete the existing RA certificate from the certificate store by entering:

    swimport -delete

    You will be prompted to delete each certificate in the certificate store. Enter Y for only that certificate that matches the Distinguished Name obtained in Step 1. Enter N for all other certificates.
  10. Import the new RA certificate file to the certificate store by entering:

    swimport -file cert.509 -509

  11. Using a text editor, ensure that <AARoot>/signers/vsautoauth.conf includes a reference to the Distinguished Name of your renewed RA Certificate.