Same SUBJDN in multiple CERTAUTH certificates in ACF2

book

Article ID: 205558

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Can there be multiple CERTAUTH certificates with the same SUBJDN in ACF2? If a CERTAUTH certificate is about to expire, can a new CERTAUTH certificate have the same recid and SUBJDN as the old certificate?

Resolution

The recid, LABEL, and SERIAL number of the new CERTAUTH certificate must be different from the old certificate in order to insert a new certificate with the same SUBJ name.

If these requirements are not met, one of the following errors will occur:
ACF00176 Duplicate certificate detected
ACF0A041 The certificate label is a duplicate of existing certificate record 

To keep the recid the same, a site may choose one of the following examples in order to replace a CERTAUTH certificate. The procedure differs if a site is their own Certificate Authority or if a 3rd Party Certificate Authority is used (such as DigiCert or VeriSign).

If the private key of the CERTAUTH certificate(Internal/local CA) that signed the certificate to be renewed is known by the system:

- Issue the RENEW command and specify the new EXPIRE date.

RENEW CERTAUTH.TEST EXPIRE(4/11/2036)

If the private key is not known by the system (ex certificates issued from a separate LPAR or 3rd party CA):

1. EXPORT the old certificate to a dataset

EXPORT CERTAUTH.TEST DS(datasetname)

2. DELete the old certificate

DEL CERTAUTH.TEST

3. Insert the new certificate from the dataset where the new signed CERTAUTH certificate is located

INSERT CERTAUTH.TEST DS(datasetname)

4. Connect the new certificate to the appropriate keyring

SET P(USER) DIV(KEYRING)

CONNECT CERTDATA(CERTAUTH.TEST) KEYRING(TEST.KEYRING) USAGE(CERTAUTH)

5. Issue a CHKCERT command to verify the certificate information is correct and that it is connected to the keyring

CHKCERT CERTAUTH.TEST