Ask a Question

Solution ID : SO1371

Last Modified : 06/20/2018

How to replace/renew a Registration Authority (RA) Certificate using the Software Signing option? (Pre-Managed PKI 6.x)

Solution

Registration Authority (RA) certificate's are valid for 365 days from the date it was issued. If an RA certificate is due to expire soon, enroll for a new RA certificate to continue to use Automated Administration without interruption.

To renew or replace the Registration Authority (RA) Certificate using the Software Signing option, perform the following steps:


  1. Stop the Automated Administration service

    • From the Start menu, click Programs > Administrative Tools > Services.
    • Right-click on Symantec Automated Administration Service and select Stop.
       
  2. Open the <AARoot>/signers/vsautoauth.conf file. Make a note of the Distinguished Name of the RA certificate about to expire. This is listed next to the most recent (uncommented) RA_dn parameter.
  3. Run the following command to create a new Certificate Signing Request (CSR) for the RA certificate. The resulting file (racert.req) contains a CSR in base64 format:

    swkeygen -name <yourAdminName> -org <yourCompany> -division <yourDept> -locality <yourCompanyCity> -state <yourCompanyState> -country <yourCompanyCountry> >racert.req


    Note: You can use the -policy <full path to your policy file> parameter instead of the -org <yourCompany> and -division <yourDept> parameters. The -policy parameter uses the organization name and division name in your Symantec policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.
     
  4.  
    • Except for the -name parameter, use the same information you used with your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today?s date).
    • If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your swkeygen command must exactly match this information, including case, spaces, and punctuation.
    • For country, use a two-character ISO country code, such as US
    • To enter a parameter that contains a space character, use quotes to surround the string (for example, "New York")

     
  5. Go to the Automated Administration RA Enrollment page at https://onsite.verisign.com/OnSiteServiceEnrollRA.htm and paste the contents racert.req file into the CSR field. (Ensure your leave the default RA certificate delivery format as: X.509)
  6. Enter your Administrator's information and click Submit
  7. Contact the Symantec Authentication Services to have the request approved at 800-579-2848 / 650-426-3535 option 1,1
  8. Once Symantec Authentication Services has approved your request, you receive an e-mail response containing your RA certificate. Save the attached file as cert.509 in your signers directory. This will overwrite the existing cert.509 file, so you should make a back up of the existing file first.
  9. Delete the existing RA certificate from the certificate store by entering:

    swimport -delete

    You will be prompted to delete each certificate in the certificate store. Enter Y for only that certificate that matches the Distinguished Name obtained in Step 1. Enter N for all other certificates.
     
  10. Import the new RA certificate file to the certificate store by entering:

    swimport -file cert.509 -509

     
  11. Using a text editor, ensure that <AARoot>/signers/vsautoauth.conf includes a reference to the Distinguished Name of your renewed RA Certificate.