A certificate signing request (CSR) was created with the TSS GENREQ command so it could be signed by a 3rd party Certificate Authority (like Verisign). When the certificate was returned from the 3rd party Certificate Authority and added back to the Top Secret Security File, the TSS LIST showed the private key was lost for the certificate. The private keysize no longer showed up in the TSS LIST output, which indicates no private key.

When adding the certificate back to the Top Secret Security File, it must be added back to the original owning acid under a new DIGICERT name.

   TSS ADD(original_owning_acid) DIGICERT(new_digicertname) DCDSN(signed.certificate.datasetname) TRUST

When TSS GENREQ is used to generate a certificate on the Top Secret Security File to be signed by a 3rd party Certificate Authority, the private key and public key are separated.

The private key of the certificate remains on the Top Secret Security File.

The public key is written to a dataset and needs to be sent to the 3rd Party Certificate Authority to be signed.

Once the certificate is signed and returned to you, it must be added back to the original owner of the certificate so that the private key and the public key will get re-united.

If the certificate is added back to a different acid, the private key cannot be re-united with the public key.

The private key can also be lost, if you delete the original certificate. The original certificate must not be deleted until the newly signed certificate has been successfully added back to the Top Secret Security File.

Once the signed certificate has been added back to the Top Secret Security File successfully, the original unsigned certificate can be deleted.