The SSL certificates of our Directory Management UI servers (the Management UI node.js server and SCIM server) are about to expire. The servers are running in Windows.
We followed the Directory documentation to renew the certificates: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/troubleshooting-ca-directory/creating-directory-manager-certificates-after-expiration.html
However, after we run createCerts.bat the server certificates (webservercert.pem and scimclientcert.pem) are empty.
We can see this error in the createCerts.bat output:
ERROR:There is already a certificate for /CN=<FQDN>/ST=Victoria/C=AU/O=CA Technologies/OU=Directory Management UI node.js
How can we renew the certificates?
Release : 12.x; 14.x
The problem is that current Management UI server and SCIM server certificates have not expired yet.
The OpenSSL maintains a database of issued certificates, and complains about an attempt to create a certificate with the same subject as the already issued certificate that hasn't expired yet.
Under "management-ui\CA" folder (by default "C:\Program Files\CA\Directory\management-ui\CA" in Windows) find "index.txt.attr" file.
The above file should contain this configuration parameter:
unique_subject = yes
Edit that file and change the above parameter to
unique_subject = no
Then run createCerts.bat again and continue certificate renewal procedure as per mentioned Directory documentation.