Re-Sign And Renew An Expiring Digital Certificate In Top Secret

book

Article ID: 16416

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

What is the procedure to send an expiring certificate out to a 3rd party Certificate Authority to be renewed? A certificate is about to expire and needs to be sent to a 3rd party Certificate Authority to be re-signed and renewed.

Environment

Release: TOPSEC00200-16-Top Secret-Security
Component:

Resolution

To send a certificate out to be resigned and renewed from a 3rd party certificate authority, use the TSS GENREQ command. The GENREQ command's purpose is to export the certificate to a dataset in a format conducive to being signed by a 3rd party certificate authority.

The TSS GENREQ command builds a PKCS10 package which is the format used to sign and renew certificates. A PKCS10 certificate does not have a private key.

The TSS GENREQ command puts the public key in the PKCS10 package for signing. The private key remains on the security file with the original version of the certificate.  Do not remove this original version of the certificate or it will remove the private key.

When the certificate is returned, add it back to the security file under a new DIGICERT name. It must also be added ack to the same original owner of the certificate in order to pair the keys.