search cancel

Exporting issuer certificates in CA Top Secret


Article ID: 129914


Updated On:


Top Secret


A issuer certificate is about to expire. Can you export one of the long term issuer certificates and them import it to an LPAR that has an expiring one? What makes a certificate an issuer? Is it one of the parameters on the GENCERT command? 


Component: TSSMVS


When you list a certificate, it will have a subject distinguished name and issuer distinguished name.

The issuer is the certificate that signed the certificate.

The issuer will match the subject distinguished name of the certificate that signed it.

Yes you can export the issuer to any system. It just a certificate.

A certificate can be signed by a 3rd party or by TSS. If you choose a third party.

You would issue a TSS GENREQ to create a certificate signing request dataset. Then send that dataset to your 3rd party signer, and they will sign it.

You will get back the certificate signed and a copy of the root certificate they used to sign it.

If you choose TSS to sign a certificate, you will use the SIGNWITH keyword to sign the certificate when you create it with the TSS GENCERT command.

SIGNWITH tells the TSS GENCERT command what root certificate to sign the certificate being created.

As long as a certificate is in a supported format by TSS you can send copies to any TSS system.