This document discusses how to migrate Digital Certificates in Top Secret across systems whose private key is stored in ICSF.

Migrating an ICSF private key from one system to another: Private keys generated by ICSF on behalf of CA Top Secret or stored into ICSF's PKA data set (PKDS) by CA Top Secret are always encrypted and cannot be recovered in clear text. Therefore, certificates with such keys cannot be exported from CA Top Secret in PKCS #12 format. In general, this restricts the ability to migrate certificates and their private keys from one system to another and share them among multiple systems.
However,  a certificate and its ICSF private key can be migrated when both the source and target systems are z/OS systems configured to use ICSF and both share the same ICSF PKA master key. The systems need not share the same CA Top Secret database nor share the same ICSF PKDS.

Use the following steps to generate a new certificate with a private ICSF key on system A (the source system) and replicate the same certificate and key on system B (the target system). In the TSS GENCERT command examples shown, the certificate to be migrated is associated with the user ID SYSMAN and has the CA Top Secret certificate label 'SECURE.KEY'. The ICSF private key has the PKDS key label 'SECURE.KEY' and is generated by the PCI cryptographic coprocessor. On the target system, 'MIGRATED.KEY' will be the value used for the CA Top Secret certificate and PKDS key labels. (Note, they could have the same value as the source system if desired.)

Steps for migrating a certificate and its ICSF private key

Before beginning:

• Both source and target system must be configured to use ICSF and share the same ICSF PKA master key.
   
• A PCI-class cryptographic coprocessor must be operational and configured with the PKDS on both the source and target systems when you specify the PCICC keyword. Otherwise, specify the ICSF keyword.
   
• Minimum target system: OS/390 1.7.
   
• Minimum of CA Top Secret r9.0 + QO84287.
   
• To extract ICSF private keys, you will need a non-CA Top Secret utility, such as KEYXFER. To download the KEYXFER utility, go to the following Web page and follow the instructions:

           Steps for migrating a certificate and its ICSF private key in the PKDS

Perform the following steps to generate a CA Top Secret certificate and its ICSF public/private key pair on system A (the source system), and migrate them to system B (the target system).

1. Generate the certificate and its public/private key pair on system A.
   
   TSS GENCERT(SYSMAN) DIGICERT(SECURKEY) SBUJECTN('CN="Secure Key"') -
   LABLCERT(SECURE.KEY) PCICC KEYSIZE(1024)
    
2. Extract the certificate from CA Top Secret and store it in an MVS data set called 'MY.CERT'. (The ICSF private key is not extracted in this step.)
   
   TSS EXPORT(SYSMAN) DIGICERT(SECURKEY) DCDSN(MY.CERT) -
   FORMAT(CERTDER)
    
3. Extract the encrypted private key from ICSF using a non-CA Top Secret utility, such as KEYXFER.
    
4. Transmit both the key and certificate data sets to system B. This step completes the work required on system A.
    
5. Receive both the key and certificate data sets on system B.
    
6. Add the encrypted private key to ICSF using a non-CA Top Secret utility, such as KEYXFER, specifying the desired PKDS label for for the key on system B, 'MIGRATED.KEY'
    
7. Add the certificate to CA Top Secret giving it the same CA Top Secret and PKDS label value as in step 6, 'MIGRATED.KEY'.
   
   TSS ADD(SYSMAN) DIGICERT(SECURKEY) LABLCERT(MIGRATED.KEY') -
   DCDSN(MY.CERT) PCICC
    
8. List the certificate to verify that CA Top Secret found the private key and assigned it to the certificate.
   
   TSS LIST(SYSMAN) SEGMENT(CERTDATA)
   
   Private Key Type       should be PCICC
   Private Key Size        should be 1024
   PKDS Label              should be MIGRATED.KEY
   
   Now the generated certificate and its ICSF public/private key pair on system A and migrated them to system B. System A and system B can now use the same certificate and key pair.