Losing the private key after getting the certificate back their Certificate Signing Request from a 3rd party Certificate Authority.

book

Article ID: 17619

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

Generated a certificate signing request with the TSS GENREQ commands so it can be signed by a 3rd party Certificate Authority like Verisign.

When the certificate is returned from the 3rd party Certificate Authority (ie Verisign), added back to the CA Top Secret Security File, and then TSS LIST the certificate, the private key is lost. The private keysize no longer shows up in the TSS LIST display which indicates no private key.

Solution:

When adding the certificate back to the CA Top Secret Security File, it must be added back to the original owning acid under a new DIGICERT name.


   TSS ADD(original_owning_acid) DIGICERT(new_digicertname) DCDSN(signed.certificate.datasetname) TRUST

When you TSS GENREQ a certificate on the CA Top Secret Security File to be signed by a 3rd party Certificate Authority, the private key and public key are separated.

The private key of the certificate remains on the CA Top Secret Security File.

The public key is written to a dataset and needs to be sent to the 3rd Party Certificate Authority to be signed.

Once the certificate is signed and returned to you, it must be added back to the original owner of the certificate so that the private key and the public key will get re-united.

If the certificate is added back to a different acid, the private key cannot be re-united with the public key.

The private key can also be lost, if you delete the original certificate. The original certificate must not be deleted until the newly signed certificate has been successfully added back to the CA Top Secret Security File.

Once the signed certificate has been added back to the CA Top Secret Security File successfully, the original unsigned certificate can be deleted.

Environment

Release:
Component: AWAGNT