ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Top Secret Replace/Renew a digital certificate best practices

book

Article ID: 16065

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Is there a best approach to replacing or renewing digital certificates.

 

 

 

Environment

Release: TOPSEC00200-16-Top Secret-Security
Component:

Resolution

There are a couple of approaches.

1. Backup the old certs to datasets, delete the certs, add new certs.
2. Keep the old certs, add new certs with different unique names, remove the old certs from keyring and add the new certs to the keyring. Since you don't delete anything, you can put it back easily.
3. Use the TSS RENEW command, but can only be used against certs created by CA Top Secret and not a 3rd party Certificate Authority.
4. Use TSS REKEY/ROLLOVER if the new certificate needs to added to many keyrings.

There are benefits to each approach.
1 Is easiest to do, but backing out is not as easy as 2.
2 Is second easiest to do administratively but easiest to blackout.
3 Quickest method to renew but the certs must be created by CA Top Secret.
4. Hardest to back out but easiest if you have thousands of keyrings you need to add the certificate to. If you don't have thousands of keyrings and only have a few keyrings, 1 or 2 is a easier/better option.