Perform the following steps to set up automatic certificate
renewal.
Before you begin
You need to decide for which certificate templates you want
to set up automatic certificate renewal. For a description of the
templates provided by
PKI Services, see
Supported certificate types.
Procedure
- In the CertPolicy section of the pkiserv.config configuration
file, set the field ExpireWarningTime to specify how soon (in days
or weeks) before a certificate expires to renew it and send the renewed
certificate to its owner. For example, to automatically renew certificates
two weeks before they expire:
ExpireWarningTime=2w
_______________________________________________________________
- Set up the renewed certificate e-mail notification form.
- Copy the sample renewed certificate notification form,
renewcertmsg.form, from the samples directory to the runtime directory.
For more information, see Steps for copying files.
- Customize the renewed certificate notification form
with your company's information. For more information, see Customizing e-mail notifications sent to users.
- In the General section of the pkiserv.config configuration
file, set the field RenewCertForm to indicate the file that contains
the renewed certificate notification form. For example:
RenewCertForm=/etc/pkiserv/renewcertmsg.form
_______________________________________________________________
- If you are implementing the Web application using REX CGI
execs, in each template for which you want certificates to be automatically
renewed, insert the AUTORENEW tag immediately following the NICKNAME
tag, if it is not already there, and set it to Y.
For example:
<TEMPLATE NAME=1-Year PKI SSL Browser Certificate>
<TEMPLATE NAME=PKI Browser Certificate>
<NICKNAME=1YBSSL>
<AUTORENEW=Y>
If you are implementing the Web application
using Java™ server pages (JSPs),
for each certificate request template for which you want certificates
to be automatically renewed, include the tag
<tns:AutoRenew>Y</tns:AutoRenew>.
For example:
<tns:certreq_template>
<tns:certname>1-Year SAF Browser Certificate</tns:certname>
<tns:certtype>SAF Browser Certificate</tns:certtype>
<tns:AutoRenew>Y</tns:AutoRenew>
⋮
_______________________________________________________________
- For each certificate type that you want to be automatically
renewed, except the PKI generated key certificate, make NotifyEmail
a required field.
To do this if you are implementing
the Web application using REX CGI execs,, in each template for which
you want certificates to be automatically renewed (except the PKI
generated key certificate), remove the string
(optional) following
the NotifyEmail tag, if it is specified. For example, change
%%NotifyEmail (optional)%%
to
%%NotifyEmail%%
If
you are implementing the Web application using Java server pages (JSPs), for each certificate
request template for which you want certificates to be automatically
renewed (except the PKI generated key certificate), remove the string
optional="true" following
the NotifyEmail tag, if it is specified. For example, change:
<tns:NotifyEmail optional="true" />
to
<tns:NotifyEmail />
Note: For
a PKI generated key certificate, the requestor name is an e-mail address
and overrides the NotifyEmail value if specified.
_______________________________________________________________
Results
When you are done, you have set up automatic certificate
renewal.