Ask a Question

How to enroll / replace / renew a Registration Authority (RA) certificate using the Hardware Signing option?


Registration Authority (RA) certificate's validity period is 365 days from the date it was issued. If a RA certificate is due to expire, you must re-enroll for a new RA certificate to continue to use Automated Administration without interruption.

To renew the Registration Authority (RA) Certificate using the Hardware Signing option, perform the following steps:

  1. Stop the Automated Administration service
    • From the Start menu, click Programs > Administrative Tools > Services
    • Right-click on Symantec Automated Administration Service and select Stop
  2. Generate a Symantec RA key-pair on the token and the RA certificate signing request. To do this, run aakeygen with the following command:

aakeygen -name <yourAdminName> -org <yourCompany> -division <yourDept> -locality <yourCompanyCity> -state <yourCompany State> -country <your CompanyCountry> >racert.req

Note:  You can use the -policy <full path to your policy file> parameter instead of the -org <yourCompany> and -division <yourDept> parameters. The -policy parameter uses the organization name and division name in your Symantec policy file to generate the CSR.  If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.

The resulting racert.req file contains a certificate signing request (CSR) in base64 format.

+You must use the identical, case-sensitive text values for org and orgUnit that you used when you enrolled for the Managed PKI service. Set the attribute values as follows:

- org: Use the value that you submitted for Company/Department/Agency
- orgUnit: Use the value that you submitted for Division/Organization/Project

If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your aakeygen command must exactly match this information, including case, spaces, and punctuation.

+ For country, use a two-character ISO country code, such as US.

+ To enter a parameter that contains a space character, use quotes to surround the string (for example, “Mountain View”).

  1. Access the Managed PKI RA enrollment Web page at the appropriate URL:
  2. Paste the contents of the racert.req file into the CSR field. Fill in the rest of the information on the page, and submit the request
  3. Contact Symantec Authentication Services to have the request approved at 800-579-2848 option 1,1
  4. Once approved, You will receive an email response containing your RA certificate. Save the attached file as cert.509 in your signers directory
  5. Using a text editor, ensure that <RARoot>/signers/vsautoauth.conf includes a reference to the path ../signers/cert.509Restart your Automated Administration Service.