With ACF2, how can Digital Certificates With ICSF Keys be migrated to another system?
This document discusses how to migrate Digital Certificates whose private key is stored in ICSF when using CA ACF2 as the External Security Manager.
Migrating an ICSF private key from one system to another Private keys generated by ICSF on behalf of CA ACF2 or stored into ICSF's PKA data set (PKDS) by CA ACF2 are always encrypted and cannot be recovered in a clear form. Therefore, certificates with such keys cannot be exported from CA ACF2 in PKCS #12 format. In general, this restricts your ability to migrate certificates and their private keys from one system to another and share them among multiple systems. However, you can migrate a certificate and its ICSF private key when both the source and target systems are z/OS systems configured to use ICSF and both share the same ICSF PKA master key. The systems need not share the same CA ACF2 database nor share the same ICSF PKDS.
Using the following steps, you can generate a new certificate with a private ICSF key on system A (the source system) and replicate the same certificate and key on system B (the target system). In the ACF2 GENCERT command examples shown, the certificate you are migrating is associated with the user ID SYSMAN and has the CA ACF2 certificate label 'SECURE.KEY'. The ICSF private key has the PKDS key label 'SECURE.KEY' and is generated by the PCI cryptographic coprocessor. On the target system, 'MIGRATED.KEY' will be the value used for the CA ACF2 certificate and PKDS key labels. (Note, they could have the same value as the source system if desired.)
Steps for migrating a certificate and its ICSF private key
Before you begin: