How to replace an expired certificate in CA ACF2
search cancel

How to replace an expired certificate in CA ACF2

book

Article ID: 137578

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to replace a certificate with a new certificate using ACF2.

What commands are needed? The same certificate label will be used.          


 The Certificate is connected to the following key rings:            
 Key ring record: JOBTTSS.RING                                   
 Key ring name:                                                  
 SMPEkeyringDEVL                                                 
 Key ring record: SYSPLEX.RING                                   
 Key ring name:                                                  
 SYSPLEXring                                                     
ACF                                                              
END                                                                

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The procedure to delete and add a replacement certificate and add entries to keyring(s) is as follows.

First, list the old certificate

set profile(user) divison(certdata)
list SITECERT.SMPE2018
CERTDATA / SITECERT.SMPE2018 LAST CHANGED BY ABCDE01 ON 02/15/20-09:41
Certificate is connected to the following key rings:   
Key ring record: JOBTTSS.RING                      
Key ring name:  JOBTTSS.RING      
Key ring record: SYSPLEX.RING                      
Key ring name:  SYSPLEX.RING                               

List the keyrings to which the certificate (SITECERT.SMPE2018) is connected by using the following command(s).

ACF
SET PROFILE(USER) DIV(KEYRING)
LIST JOBTTSS.RING
LIST SYSPLEX.RING
END

These above commands show how the certificate is currently defined in the keyring(s).

In each keyring will be an entry for the existing SITECERT.SMPE2018 with a USAGE parameter. The USAGE parameter will be needed when updating the keyring for the new certificate.

Note: it is not necessary to remove the certificate from the keyring as it will be done automatically by the delete. 

The commands to add the new certificate are as follows:

ACF
SET PROFILE(USER) DIV(CERTDATA)
DELETE SITECERT.SMPE2018
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS

INSERT SITECERT.SMPE2019 LABEL(smpecert) DSN('ABCDE01.SMPE.CERT2019')

CONNECT CERTDATA(SITECERT.SMP2019) KEYRING(JOBTTSS.RING) USAGE(PERSONAL)  

CONNECT CERTDATA(SITECERT.SMP2019) KEYRING(SYSPLEX.RING) USAGE(PERSONAL)  

F ACF2,REBUILD(USR),CLASS(P)

F ACF2,OMVS

END

If the old USAGE value was CERTAUTH or SITECERT, you should change the value in the connect commands.

If the certificate is also defined as the default certificate in the keyrings, you should add the DEFAULT parameter to the connect commands.

Additional Information

Note that the signing certificate of the new certificate (SITECERT.SMPE2019) may also need to be changed and connected to the same keyring(s).
Powered by Wolken Software