Solution

Registration Authority (RA) certificate's are valid for 365 days from the date it was issued. If an RA certificate is due to expire soon, enroll for a new RA certificate to continue to use Automated Administration without interruption.

To renew or replace the Registration Authority (RA) Certificate using the Software Signing option, perform the following steps:

1. Stop the Automated Administration service
   
   
   • From the Start menu, click Programs > Administrative Tools > Services.
   • Right-click on Symantec Automated Administration Service and select Stop.
      
2. Open the <AARoot>/signers/vsautoauth.conf file. Make a note of the Distinguished Name of the RA certificate about to expire. This is listed next to the most recent (uncommented) RA_dn parameter.
3. Run the following command to create a new Certificate Signing Request (CSR) for the RA certificate. The resulting file (racert.req) contains a CSR in base64 format:
   
   swkeygen -name <yourAdminName> -org <yourCompany> -division <yourDept> -locality <yourCompanyCity> -state <yourCompanyState> -country <yourCompanyCountry> >racert.req
   
   
   Note: You can use the -policy <full path to your policy file> parameter instead of the -org <yourCompany> and -division <yourDept> parameters. The -policy parameter uses the organization name and division name in your Symantec policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.
    
4.  
   • Except for the -name parameter, use the same information you used with your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today?s date).
   • If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your swkeygen command must exactly match this information, including case, spaces, and punctuation.
   • For country, use a two-character ISO country code, such as US
   • To enter a parameter that contains a space character, use quotes to surround the string (for example, "New York")
   
    
5. Go to the Automated Administration RA Enrollment page at https://onsite.verisign.com/OnSiteServiceEnrollRA.htm and paste the contents racert.req file into the CSR field. (Ensure your leave the default RA certificate delivery format as: X.509)
6. Enter your Administrator's information and click Submit
7. Contact the Symantec Authentication Services to have the request approved at 800-579-2848 / 650-426-3535 option 1,1
8. Once Symantec Authentication Services has approved your request, you receive an e-mail response containing your RA certificate. Save the attached file as cert.509 in your signers directory. This will overwrite the existing cert.509 file, so you should make a back up of the existing file first.
9. Delete the existing RA certificate from the certificate store by entering:
   
   swimport -delete
   
   You will be prompted to delete each certificate in the certificate store. Enter Y for only that certificate that matches the Distinguished Name obtained in Step 1. Enter N for all other certificates.
    
10. Import the new RA certificate file to the certificate store by entering:
    
    swimport -file cert.509 -509
    
     
11. Using a text editor, ensure that <AARoot>/signers/vsautoauth.conf includes a reference to the Distinguished Name of your renewed RA Certificate.