This document outlines the steps required to replace an old certificate with a completely new certificate and certificate signing chain into ACF2 while keeping the same record name and label for the new certificate. The new certificate was not GENCERTed and GENREQed within ACF2 and was instead generated by a 3rd party. Note that this process differs from the standard ACF2 certificate renewal process. Renewal processes for certificates generated within ACF2 are documented here: Renew Digital Certificates
Example:
SITECERT.DEVTEST is expiring soon. A new certificate in a PKCS12 package containing a new signing chain (root and possibly intermediate CERTAUTH certificates) needs to be inserted into the ACF2 database. The PKCS12 package is saved in dataset member PKCS12.SITECERT.NEWCERT. The KEYRING that SITECERT.DEVTEST is connected to is called TESTRING.
A CHKCERT command of both SITECERT.DEVTEST and PKCS12.SITECERT.NEWCERT shows that the serial numbers and issuer information are different. PKCS12.SITECERT.NEWCERT also contains a private key and can therefore be used as a personal/sitecert certificate.
Release : 16.0
Component : ACF2 for z/OS
It is recommend to perform each step in ACFBATCH so the output can be looked back on and reviewed as needed: