Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 148

Chapter 4. Requesting, Enrolling, and Managing Certificates
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 69481646e38a6154dc105960aa24ccf61309d37d
4. Copy the alias directory as a backup, then delete the original certificate from the certificate
database. For example:
certutil -D -n "ServerCert cert-example"
5. Run the certutil command with the options set to the values in the existing certificate.
certutil -d . -R -k "NSS Certificate DB:cert-pki-ca" -s "cn=CA Authority,o=Example Domain"
-a -o example.req2.txt
The difference between generating a new certificate and key pair and renewing the certificate is
the value of the -k option. To generate an entirely new request and key pair, then -k sets the key
type and is used with -g, which sets the bit length. For a renewal request, the -k option uses the
certificate nickname to access the existing key pair stored in the security database.
The options used to generate the renewal request are listed in
Requesting Certificates with
www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
6. Submit the certificate request and then retrieve it and install it, as described in
"Requesting Certificates Using
126
-d .
certutil", and more information about certutil is available at
certutil".
caSigningCert cert-pki-ca
Table 4.1, "Options for
Section 4.3.2,
http://