What is the procedure to send an expiring certificate out to a 3rd party Certificate Authority to be renewed? A certificate is about to expire and needs to be sent to a 3rd party Certificate Authority to be re-signed and renewed.

Release: TOPSEC00200-16-Top Secret-Security
Component:

To send a certificate out to be resigned and renewed from a 3rd party certificate authority, use the TSS GENREQ command. The GENREQ command's purpose is to export the certificate to a dataset in a format conducive to being signed by a 3rd party certificate authority.

The TSS GENREQ command builds a PKCS10 package which is the format used to sign and renew certificates. A PKCS10 certificate does not have a private key.

The TSS GENREQ command puts the public key in the PKCS10 package for signing. The private key remains on the security file with the original version of the certificate.  Do not remove this original version of the certificate or it will remove the private key.

When the certificate is returned, add it back to the security file under a new DIGICERT name. It must also be added ack to the same original owner of the certificate in order to pair the keys.