Help to replace an expiring certificate in Top Secret

book

Article ID: 106163

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Have a new version of a certificate with new dates in a data set and need to replace the expiring version of the certificate and add it to the keyring.

Environment

Release:
Component: CM-YU

Resolution

Here are the commands to put in the new certificate. 

Note: The expiring certificate has had a GENREQ issued and the dataset was sent to the CA to have the dates extended. The certificate was sent back and now resides in a dataset.

1. Rename LABLCERT to 'EXPIREDCERT' 
TSS REP(owningacid) DIGICERT(CERT1) LABLCERT(EXPIREDCERT) 

The owningacid is the owning acid of the certificate. 

2. Add new certificate to CA Top Secret. 
TSS ADD(owningacid) DIGICERT(CERT2) DCDSN(datasetname) LABLCERT(CERT1) 

'owningacid' should be the the owning acid you use when you did TSS GENREQ command. It is critical that we use the correct owning acid, otherwise the private key will be lost. 

3. Remove old certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT1) 

4. Add new certificate to the keyring 
TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT2) USAGE(PERSONAL) DEFAULT 

The owningacid should be the same as the one used in step 2. 

A recycle is required for the changes to go into effect. 

To backout the changes: 

1. Remove new certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT2) 

2. Put back the old certificate to the keyring 
TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT1) 

3. Rename the LABLCERT: 

TSS REP(owningacid) DIGICERT(CERT2) LABLCERT(NEWCERT) 
TSS REP(owningacid) DIGICERT(CERT1) LABLCERT(CERT1) 
Recycle the address space for the change to go into effect.