Can there be multiple CERTAUTH certificates with the same SUBJDN in ACF2? If a CERTAUTH certificate is about to expire, can a new CERTAUTH certificate have the same recid and SUBJDN as the old certificate?
The recid, LABEL, and SERIAL number of the new CERTAUTH certificate must be different from the old certificate in order to insert a new certificate with the same SUBJ name.
If these requirements are not met, one of the following errors will occur:
ACF00176 Duplicate certificate detected
ACF0A041 The certificate label is a duplicate of existing certificate record
To keep the recid the same, a site may choose one of the following examples in order to replace a CERTAUTH certificate. The procedure differs if a site is their own Certificate Authority or if a 3rd Party Certificate Authority is used (such as DigiCert or VeriSign).
If the private key of the CERTAUTH certificate(Internal/local CA) that signed the certificate to be renewed is known by the system:
- Issue the RENEW command and specify the new EXPIRE date.
RENEW CERTAUTH.TEST EXPIRE(4/11/2036)
If the private key is not known by the system (ex certificates issued from a separate LPAR or 3rd party CA):
1. EXPORT the old certificate to a dataset
EXPORT CERTAUTH.TEST DS(datasetname)
2. DELete the old certificate
DEL CERTAUTH.TEST
3. Insert the new certificate from the dataset where the new signed CERTAUTH certificate is located
INSERT CERTAUTH.TEST DS(datasetname)
4. Connect the new certificate to the appropriate keyring
SET P(USER) DIV(KEYRING)
CONNECT CERTDATA(CERTAUTH.TEST) KEYRING(TEST.KEYRING) USAGE(CERTAUTH)
5. Issue a CHKCERT command to verify the certificate information is correct and that it is connected to the keyring
CHKCERT CERTAUTH.TEST