Replacing CA's that have signed multiple server/client certificates. in CA Top Secret

book

Article ID: 131940

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

What is the effect of replacing a signing CA that has signed multiple (externally supplied) digital certificates, especially when an external party has sent a replacement CA that is identical to the old CA, except for an updated expiration date? Is there an easier way to do this other than removing every signed certificate and the signing CA from the TSS Database, then installing the new CA then all of the signed certificates?

Environment

Release:
Component: TSSMVS

Resolution

If the certificate is a totally new CA and was not used to sign the current client certs, the client certs will no longer work. 

If the certificate is a renewed CA cert, then they should work. 

Is the CA cert a third party cert or an internal one created by TSS? 

If its a 3rd party cert, you have to as the third party like GEOTRUST or GODADDY, SYMANTEC, etc.. if the cert they gave you is a totally different CA cert or a renewed cert. Its only the renewed cert, that will allow you to you to continue to use the same client certs. If its a totally new CA cert, then you will also need to create new client certs and have them signed by the new CA cert. Since its a 3rd party cert, its best to ask you vendor if they will work with you old client certs or will you need to create new one and have them signed by the new root cert. 

If its an internal CA cert created by TSS, then you can use the TSS RENEW command to renew the certificate. TSS RENEW command is only for those certs created by TSS. Please see the following link: 
https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/command-functions/renew-functionrenew-a-digital-certificate