Replacing an Expiring Certificate Signed by a Local CA

book

Article ID: 18142

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

The steps to take to extend the dates on a certificate vary depending on where the certificate was generated and how it was signed.

If the Certificate was generated on site and signed by a local CA, meaning a CA certificate also generated on site, then the following steps can be taken to extend the date.

Solution:

**Step one insures that if any mistakes are made that the original certificate

can be obtained and put back into place**

  1. Backup the certificate about to expire.

    TSS EXPORT(usera) DIGICERT(SERVER) DCDSN(usera.SERVER.P12)
    PKCSPASS(password) FORMAT(PKCS12DER)

  2. GENREQ the certificate to a dataset.

    TSS GENREQ(usera) DIGICERT(SERVER) DCDSN(usera.SERVER.P10)

  3. Generate a new temporary certificate with a new NADATE and sign it with the expiring certificate.

    TSS GENCERT(usera) DIGICERT(TEMP) DCDSN(usera.SERVER.P10) NADATE(02/01/24)
    SIGNWITH(usera,SERVER)

  4. Export the certificate to a dataset:

    TSS EXPORT(usera) DIGICERT(TEMP) DCDSN(usera.TEMP.DER) FORMAT(CERTDER)

  5. Remove the temporary certificate.

    TSS REMOVE(usera) DIGICERT(TEMP)

  6. Replace the expiring certificate with the new certificate that has a new expiration date.

    TSS REP(usera) DIGICERT(SERVER) DCDSN(usera.TEMP.DER) TRUST

  7. Recycle any address space(s) that reference a keyring with the new certificate.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: