TSS REKEY and TSS ROLLOVER Knowledge Document Question

book

Article ID: 197957

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret

Issue/Introduction

Regarding the TSS REKEY and ROLLOVER knowledge document.


Q1: Does this knowledge document apply Top Secret r16 ?

Q2: Why is steps 3,4,5 - necessary?  

Wouldnt it be easier to do the following:

  1. Copy the expired certificate JOECERT1's public key to a dataset.
    TSS GENREQ(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.CERT. UNSIGNED)
  2. FTP the certificate to be signed by the third party Certificate Authority.
  3. Add the certificate back under the certificate name JOECERT1.
    TSS REP(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.RECEIVED.FROM.CA) TRUST




 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Question 1: Answer:
The TSS REKEY and TSS ROLLOVER allows you to renew a TSS generated certificate and then propagate it to all the keyrings. If there are 10,000 keyrings, it saves the effort of updating 10,000 keyrings manually with the renewed certificate. The knowledge document or the TSS ROLLOVER will propagate the certificate to all they keyrings.

If running r16, it would be easier to use REKEY/ROLLOVER then using the long manual method.


Question 2: Answer:

 

Both methods are valid to renew the certificate.

The following steps would be less commands to execute:

  1. Copy the expired certificate JOECERT1's public key to a dataset.
    TSS GENREQ(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.CERT. UNSIGNED)
  2. FTP the certificate to be signed by the third party Certificate Authority.
  3. Add the certificate back under the certificate name JOECERT1.
    TSS REP(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.RECEIVED.FROM.CA) TRUST


But in the knowledge document, the TEMP certificate allows to have a backup of the certificate to fall back to if there is a problem that occurs with the TSS REPLACE command for whatever reason.