Changing Certificates from SHA1 to SHA256 (SHA2) in Top Secret

book

Article ID: 144859

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

How to change SHA1 Certificates to SHA256 (SHA2) in Top Secret.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

You cannot change a SHA1 certificate into a SHA256. 
The cryptographic hash (SHA1 or SHA256) used when a certificate is generated cannot be changed. 
 
To change from SHA1 to SHA256 new certificates are needed that are SHA256.
In Top Secret new certificates need to be created:

1) Generate a new certificate using the GENCERT command with a KEYSIZE of at least 2048 for it to be a SHA256. 
2) Issue a GENREQ to create the CSR. (DO NOT DELETE the original certificate.  This is where the certificate's private key is held.)
3) Send the CSR data set to the CA to be signed.
4) Receive the signed certificate from the CA.
4)  ADD it back to the owning acid with a slightly different name to pair the keys. List the certificate to make sure it has a private key.
5)  ADD the new certificate to the necessary keyrings.
Note*   The old cert can be removed from the keyring(s) for testing but do not remove the old certificate from the owning acid until all testing has been done and everything is working.