ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Update keyrings with new certificate.

book

Article ID: 239841

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Need to replace an expired certificate with a new certificate.

Will a:

TSS REPLACE(owning_acid) DIGICERT(digicertname) DCDSN(datasetname)

work, so they dont have to update all keyring?

If not, will a TSS ROLLOVER populate the new certificate and update keyrings?

 

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

The TSS REPLACE or TSS ROLLOVER cannot be used to populate the new certificate to the keyring.

Each keyring that needs it has to be updated with the new certificate.

TSS REPLACE is used for rewnewing certificates that were created by TSS and sent out to be signed to a 3rd party certificate authority.

When getting it back, use the TSS REPLACE command to reconnect the private key with the signed public key under the old DIGICERT name. So the DIGICERT name remains the same and the keyrings dont need to be updated with a new DIGICERT name.

The TSS ROLLOVER key is used to populate a certificate that was TSS REKEYed. The TSS REKEY has to be done first for the TSS ROLLOVER to work. They work hand in hand. The TSS ROLLOVER cannot be used alone.