Replace an expiring certificate in ACF2 with a completely new certificate that was generated outside of ACF2
search cancel

Replace an expiring certificate in ACF2 with a completely new certificate that was generated outside of ACF2

book

Article ID: 248279

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

This document outlines the steps required to replace an old certificate with a completely new certificate and certificate signing chain into ACF2 while keeping the same record name and label for the new certificate. The new certificate was not GENCERTed and GENREQed within ACF2 and was instead generated by a 3rd party. Note that this process differs from the standard ACF2 certificate renewal process. Renewal processes for certificates generated within ACF2 are documented here: Renew Digital Certificates

Example:

SITECERT.DEVTEST is expiring soon. A new certificate in a PKCS12 package containing a new signing chain (root and possibly intermediate CERTAUTH certificates) needs to be inserted into the ACF2 database. The PKCS12 package is saved in dataset member PKCS12.SITECERT.NEWCERT. The KEYRING that SITECERT.DEVTEST is connected to is called TESTRING.

A CHKCERT command of both SITECERT.DEVTEST and PKCS12.SITECERT.NEWCERT shows that the serial numbers and issuer information are different. PKCS12.SITECERT.NEWCERT also contains a private key and can therefore be used as a personal/sitecert certificate.    

 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

It is recommend to perform each step in ACFBATCH so the output can be looked back on and reviewed as needed:

  1. Save the old certificate in a dataset just incase. Do not do the other steps until this has been completed successfully. Take note of the CERTAUTH certificate names that are also stored.

    EXPORT SITECERT.DEVTEST DSN('your.dsnname.here') FORMAT(PKCS12DER) PASSWORD(password)

  2. List the keyring for a reference of what it looked like before any changes are made.

    SET P(USER) DIV(KEYRING)
    LIST TESTRING

  3. Delete SITECERT.DEVTEST

    SET P(USER) DIV(CERTDATA)
    DEL SITECERT.DEVTEST

  4. Insert the new certificate. Make note of whether or not the CERTAUTH certificates are also inserted. These may potentially already exist in the system, or else they will be inserted with a name of CERTAUTH.AUTOxxx. The CHKCERT CHAIN command at the end will verify that the signing certificates exist and what their names are. Things to review in this output are a "Chain is complete" response at the bottom of the output and that the new serial number and expiration date is in the CHKCERT output.

    SET P(USER) DIV(CERTDATA)
    INSERT SITECERT.DEVTEST DSN('PKCS12.SITECERT.NEWCERT') LABEL(SITECERT.DEVTEST) -
    PASSWORD(yourpassword) TRUST
    CHKCERT SITECERT.DEVTEST CHAIN

  5. Connect the new certificate and signing certificate(s) to the keyring and issue the appropriate rebuild commands. Replace the parameters in red with the record names for your signing certificate(s).

    SET P(USER) DIV(KEYRING)
    CONNECT CERTDATA(SITECERT.DEVTEST) KEYRING(TESTRING) -
    USAGE(PERSONAL) DEFAULT
    CONNECT CERTDATA(signing intermediate cert record) KEYRING(TESTRING) -
    USAGE(CERTAUTH)
    CONNECT CERTDATA(signing root cert record) KEYRING(TESTRING) -
    USAGE(CERTAUTH)
    F ACF2,REBUILD(USR),CLASS(P)
    F ACF2,OMVS
    LIST TESTRING

    Note, some cleanup can possibly be done on the keyring to remove the old CERTAUTH certificates if they're being unused. The old personal certificate should've automatically been removed when it was deleted in step 3. The command for removal is:

    REMOVE CERTDATA(old signing cert record) KEYRING(TESTRING)

  6. Administration on the ACF2 side is complete. The SSL environment for the product using the keyring may need to be refreshed on the product end to pick up the updated keyring and certificate.