Replacing an expired digital certificate signed by a 3rd party certificate with a totally new digital certificate with a different public and private key.

The new certificate added needs to be added to the required keyrings.

Release : 16.0

Component :

1. Create a new certificate.

TSS GENCERT(CERTSITE or owning_acid) SUBJECTN('CN="PROD Certificate"') DIGICERT(UNSIGNED)

2. Create a CSR (Certificate Signing Request) and place it in a dataset.

TSS GENREQ(CERTISTE or owning_acid) DIGICERT(UNSIGNED) DCDSN(datasetname)

UNSIGNED is the new unsigned certiicate that will be sent out to be signed.

Top Secret will allocate the dataset to it must not previously exists. Must be authorized for the dataset name.

3. Upload the dataset to the 3rd party Certificate Authority to be signed.

4. Backup the expiring/expired certificate to a dataset and TSS LIST the certificate for archival purposes

TSS LIST(CERTSITE or owning_acid) DIGICERT(expired_certificate)

TSS EXPORT(CERTSITE or owning_acid) DIGICERT(expired_certificate) DCDSN(datasetname) FORMAT(PKCS12B64) PKCSPASS(password)

Top Secret will allocate the dataset so it must not previously exist.

Must be authorized for the dataset name used.

Please keep the password in a safe place for it cannot be recovered if lost.

5. Delete the expired/expiring certificate from the security file permanently.

TSS REMOVE(CERTSITE or owning_acid) DIGICERT(expired_certificate)

Please make sure the backup step 4 was execute successfully, otherwise the certificate can never be recovered.

6. Upload the signed certificate package to a dataset that was preallocated with VB (variable blocked) and DSORG=PS.

7. Add the signed certificate to the security file.

TSS ADD(CERTSITE or owning_acid) DIGICERT(SIGNED) DCDSN(datasetname) PKCSPASS(password) LABLCERT(certificate_label)

Whatever was used as the owning acid in step 1 must also be used in this step of the certificates private key will be lost.

SIGNED is the signed version of the certificate. After this command, a unsigned version called UNSIGNED and signed version called SIGNED will exist on the security file.

8.  Add the new certificate to the keyring.

TSS ADD(user) KEYRING(keyringname) RINGDATA(CERTSITE or owning_acid,SIGNED) USAGE(PERSONAL) DEFAULT

9. Recycle any address spaces that reference keyrings with the new certificate.

Note: This document assumes the keyrings should already be defined and the root certificates should already be on the keyring, since you are replacing an expired/expiring certificate with a new one.