Updating your AutoAdmin (AutoAdmin.509) hierarchy certificates

Solution ID:    SO12826    Updated:    12/11/2015

Problem

The Symantec Managed PKI Registration Authority Server (or the Automated Administration Server or Key Manager Server in pre-Managed PKI 7.0 versions) uses a secure communication channel between your site and Symantec. This AutoAdmin.509 certificate is located on the Registration Authority Server (or the Automated Administration Server or Key Manager Server in pre-Managed PKI 7.0 versions) and is used to encrypt information when communicating with the Symantec back end, as well as to check the signature on responses received from Symantec.

Periodically, Symantec must re-key AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates. If so, you may have to complete some manual procedures to ensure continued communications with the Symantec back end. These procedures are explained in this solution.

Solution

Please note that the new AutoAdmin.509 certificate will not be available until after January 20, 2010.  Please complete the steps below during the period after January 20, 2010 and before April 19, 2010 to ensure uninterrupted operations. 

The solution you need to follow depends on your version of the Managed PKI site kit.  Refer to SO227 to determine the version of your site kit.

https://knowledge.symantec.com/support/mpki-support/index?page=content&id=SO277

For Managed PKI 7.2, 7.1 and 7.0 customers

Managed PKI 7.2, 7.1 and 7.0 customers must download and install the AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates attached to this solution using the following instructions.

  1. Stop the Registration Authority Service.
  2. Download the re-keyed AutoAdmin (AutoAdmin.509), Intermediate AutoAdmin (cacert.509) and Root AutoAdmin (aaroot.509) certificates attached to this solution.
  3. Navigate to the <MPKI RA Installation Directory\signers directory.
  4. Rename the files AutoAdmin.509 to AutoAdmin.509.bak, cacert.509 to cacert.509.bak, and aaroot.509 to aaroot.509.bak
  5. Copy the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates into this directory.
  6. Enroll for a new Registration Authority (RA) certificate. Refer to the installation and configuration document provided with your version of Managed PKI for procedures.
  7. Start the Registration Authority Service.
  8. Perform a trial enrollment for a certificate. This enrollment should be successful.


For Managed PKI 6.1.3 customers

Managed PKI 6.1.3 customers must download and install AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates attached to this solution using the following instructions.

  1. Stop the Automated Administration Service or Key Management Service, as appropriate.
  2. Download the re-keyed AutoAdmin (AutoAdmin.509), Intermediate AutoAdmin (cacert.509) and Root AutoAdmin (aaroot.509) certificates attached to this solution.
  3. Navigate to the <MPKI RA Installation Directory>\signers directory.
  4. Rename the files AutoAdmin.509 to AutoAdmin.509.bak, cacert.509 to cacert.509.bak, and aaroot.509 to aaroot.509.bak.
  5. Copy the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates into this directory.
  6. Copy the certs.db, crls.db, and keys.db files in the signers directory to another drive or location. You can use these backed-up files should you need to restore them.
  7. Delete the current AutoAdmin, Intermediate AutoAdmin, Root AutoAdmin and Registration Authority certificates from the certificate store by running the following from a command line:

    swimport.exe –delete

    You will be prompted to delete each certificate in the certificate store based on its serial number. Enter Y to delete the current AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin and Registration Authority certificates.

    Note: Certificate serial numbers for  Pilot Managed PKI:
Certificate Serial Number
AutoAdmin 009d71211704771c02df1517883d60fa66
Intermediate AutoAdmin 45a9eed392863047908163fc2d9fb51e
Root AutoAdmin 28e35b304fda7c864b44fb63654b3e17

 

Certificate serial numbers for  Production Managed PKI:

 

Certificate Serial Number
AutoAdmin 4a825d40c0540bce090fe1f1595cf992
Intermediate AutoAdmin 44c81d446101bf42b31428e0185a741e
Root AutoAdmin 3c9131cb1ff6d01b0e9ab8d044bf12be
  1. Import the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates to the certificate store by running the following from a command line:

    swimport –file aaroot.509 -509
    swimport –file cacert.509 -509
    swimport –file AutoAdmin.509 -509

     
  2. Update the AA_dn value in the vsautoauth.conf file located in the signers directory with

    Pilot:

    CN=Automated Administration Test Certificate - G2,OU=FOR TEST PURPOSES ONLY,O="VeriSign, Inc.",C=US

    Production:

    CN=Automated Administration Certificate - G2,O="VeriSign, Inc.",C=US
     
  3. Enroll for a new Registration Authority (RA) certificate using the re-keyed certificates’ hierarchy. Refer to the installation and configuration document provided with your version of Managed PKI for procedures.
  4. Import the new RA certificate to the certificate store by running the following from a command line:

    swimport –file cert.509 -509
     
  5. Start the Automated Administration Service or Key Management Service.
  6. Perform a trial enrollment for a certificate. This enrollment should be successful.

For CMS and Signing API customers

Customers using CMS or the Signing API should update their AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates by performing the following steps:

  1. Download the re-keyed AutoAdmin (AutoAdmin.509), Intermediate AutoAdmin (cacert.509) and Root AutoAdmin (aaroot.509) certificates attached to this solution.
  2. Navigate to the <MPKI RA Installation Directory >\signers directory.
  3. Rename the files AutoAdmin.509 to AutoAdmin.509.bak, cacert.509 to cacert.509.bak, and aaroot.509 to aaroot.509.bak.
  4. Copy the re-keyed AutoAdmin certificate, Intermediate AutoAdmin and Root AutoAdmin CA certificates to the signers directory
  5. Enroll for a new Registration Authority (RA) certificate using the re-keyed certificates’ hierarchy. Refer to the installation and configuration document provided with your version of Managed PKI for procedures.
  6. Perform a trial enrollment to verify the operation is successful.

A copy of the re-keyed AutoAdmin, AutoAdmin Intermediate and AutoAdmin Root CA certificates are available for download.

Attachment

AApilothierarchy.zip
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband


Attachment

productionhierarchy.zip
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband


Find Answers