Regarding the TSS REKEY and ROLLOVER knowledge document.

Q1: Does this knowledge document apply Top Secret r16 ?

Q2: Why are steps 3,4,5 - necessary?  

Wouldn't it be easier to do the following:

1. Copy the expired certificate JOECERT1's public key to a dataset.
   TSS GENREQ(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.CERT. UNSIGNED)
2. FTP the certificate to be signed by the third party Certificate Authority.
3. Add the certificate back under the certificate name JOECERT1.
   TSS REP(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.RECEIVED.FROM.CA) TRUST

Release : 16.0

Component : CA Top Secret for z/OS

Question 1: Answer:
The TSS REKEY and TSS ROLLOVER allows you to renew a TSS generated certificate and then propagate it to all the keyrings. If there are 10,000 keyrings, it saves the effort of updating 10,000 keyrings manually with the renewed certificate. The knowledge document or the TSS ROLLOVER will propagate the certificate to all they keyrings.

If running r16, it would be easier to use REKEY/ROLLOVER then using the long manual method.


Question 2: Answer:

Both methods are valid to renew the certificate.

The following steps would be less commands to execute:

1. Copy the expired certificate JOECERT1's public key to a dataset.
   TSS GENREQ(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.CERT. UNSIGNED)
2. FTP the certificate to be signed by the third party Certificate Authority.
3. Add the certificate back under the certificate name JOECERT1.
   TSS REP(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.RECEIVED.FROM.CA) TRUST

But in the knowledge document, the TEMP certificate allows to have a backup of the certificate to fall back to if there is a problem that occurs with the TSS REPLACE command for whatever reason.