Updating your AutoAdmin hierarchy certificates

The VeriSign Managed PKI Registration Authority Server (or the Automated Administration Server or Key Manager Server in pre-Managed PKI 7.0 versions) uses a secure communication channel between your site and Adacom. This AutoAdmin.509 certificate is located on the Registration Authority Server (or the Automated Administration Server or Key Manager Server in pre-Managed PKI 7.0 versions) and is used to encrypt information when communicating with the Adacom back end, as well as to check the signature on responses received from Adacom.

Periodically, VeriSign/Adacom must re-key AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates. If so, you may have to complete some manual procedures to ensure continued communications with the Adacom back end. These procedures are explained in this solution.

 

For Managed PKI 7.2, 7.1 and 7.0 customers

Managed PKI 7.2, 7.1 and 7.0 customers must download and install the AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates attached to this solution using the following instructions.

  1. Stop the Registration Authority Service.
  2. Download the re-keyed AutoAdmin (AutoAdmin.509), Intermediate AutoAdmin (cacert.509) and Root AutoAdmin (aaroot.509) certificates attached to this solution.
  3. Navigate to the <MPKI RA Installation Directory\signers directory.
  4. Rename the files AutoAdmin.509 to AutoAdmin.509.bak, cacert.509 to cacert.509.bak, and aaroot.509 to aaroot.509.bak
  5. Copy the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates into this directory.
  6. Enroll for a new Registration Authority (RA) certificate. Refer to the installation and configuration document provided with your version of Managed PKI for procedures.
  7. Start the Registration Authority Service.
  8. Perform a test enrollment for a certificate. This enrollment should be successful.

 

For Managed PKI 6.1.3 customers

Managed PKI 6.1.3 customers must download and install AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates attached to this solution using the following instructions.

  1. Stop the Automated Administration Service or Key Management Service, as appropriate.
  2. Download the re-keyed AutoAdmin (AutoAdmin.509), Intermediate AutoAdmin (cacert.509) and Root AutoAdmin (aaroot.509) certificates attached to this solution.
  3. Navigate to the <MPKI RA Installation Directory>\signers directory.
  4. Rename the files AutoAdmin.509 to AutoAdmin.509.bak, cacert.509 to cacert.509.bak, and aaroot.509 to aaroot.509.bak.
  5. Copy the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates into this directory.
  6. Copy the certs.db, crls.db, and keys.db files in the signers directory to another drive or location. You can use these backed-up files should you need to restore them.
  7. Delete the current AutoAdmin, Intermediate AutoAdmin, Root AutoAdmin and Registration Authority certificates from the certificate store by running the following from a command line:
    swimport.exe –delete
    You will be prompted to delete each certificate in the certificate store based on its serial number. Enter Y to delete the current AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin and Registration Authority certificates.
  8. Import the re-keyed AutoAdmin, Intermediate AutoAdmin and Root AutoAdmin certificates to the certificate store by running the following from a command line:
    swimport –file aaroot.509 -509
    swimport –file cacert.509 -509
    swimport –file AutoAdmin.509 -509 
  9. Update the AA_dn value in the vsautoauth.conf file located in the signers directory with
    Pilot: 
    CN = Automated Administration TEST – G2,OU = FOR TEST PURPOSES ONLY,O = ADACOM S.A.,C = GRProduction: CN = ADACOM Automated Administration – G2,O = ADACOM S.A.,C = GR
  10. Enroll for a new Registration Authority (RA) certificate using the re-keyed certificates’ hierarchy. Refer to the installation and configuration document provided with your version of Managed PKI for procedures.
  11. Import the new RA certificate to the certificate store by running the following from a command line:
    swimport –file cert.509 -509
     
  12. Start the Automated Administration Service or Key Management Service.
  13. Perform a test enrollment for a certificate. This enrollment should be successful.

 


A copy of the AutoAdmin, AutoAdmin Intermediate and AutoAdmin Root CA certificates are available for download.

Top