Need to replace an expired certificate with a new certificate.

Will a:

TSS REPLACE(owning_acid) DIGICERT(digicertname) DCDSN(datasetname)

work, so they dont have to update all keyring?

If not, will a TSS ROLLOVER populate the new certificate and update keyrings?

Release : 16.0

Component : Top Secret for z/OS

The TSS REPLACE or TSS ROLLOVER cannot be used to populate the new certificate to the keyring.

Each keyring that needs it has to be updated with the new certificate.

TSS REPLACE is used for rewnewing certificates that were created by TSS and sent out to be signed to a 3rd party certificate authority.

When getting it back, use the TSS REPLACE command to reconnect the private key with the signed public key under the old DIGICERT name. So the DIGICERT name remains the same and the keyrings dont need to be updated with a new DIGICERT name.

The TSS ROLLOVER key is used to populate a certificate that was TSS REKEYed. The TSS REKEY has to be done first for the TSS ROLLOVER to work. They work hand in hand. The TSS ROLLOVER cannot be used alone.