The process to replace or renew an expiring certificate on Top Secret differs slightly depending on whether the certificate is self-signed, signed by a local Certificate Authority, or signed by a third-party Certificate Authority like Verisign or Geotrust.

The following process documents the replacement of an expiring site certificate, (also referred to as a user or personal certificate), that has been signed by a third-party Certificate Authority.

These expiring certificates have to be sent to the certifying Certificate Authority, (the CA that signed the certificate), to be renewed. In this process, the original public/private key pair is retained.

Steps to Replace an expiring site certificate signed by a third party Certificate Authority keeping the same public/private key pair.
**This has to be done before the certificate expires.**

1. Issue a TSS LIST(acid) DIGICERT(certificate) for the certificate that will be renewed and save the output, so there is a record of the starting values.
   
   
2. TSS EXPORT the user certificate to save it to a dataset, in case a backout is needed. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.
   
   TSS EXPORT(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.backup.dataset) -
   FORMAT(PKCS12DER) PKCSPASS(password)
   
   
3. If the private key is ICSF, consider using the IBM freeware utility called KEYXFER to backup the private key in conjunction with a non- PKCS#12 format (CERTDER) to backup the certificate and public key.
   
   ** Issue TSS CHECKCERT DCDSN(expiring .digicert.backup.dataset) and make sure that the certificate has exported properly.  Look for the private key if it has one.
   
   
4. Issue a TSS GENREQ for the expiring digital certificate to write it to a dataset, which will contain the subject distinguished name and the public key.  The private key remains with the original version of the certificate.  You will pair the keys again in step 6.  You never send your private key.
   
   TSS GENREQ(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.public.key.dataset)
   
   
5. Send the dataset to the Certificate Authority to be renewed.
   
   
6. When the Signed Certificate dataset is returned from the Certificate Authority issue a TSS CHKCERT to verify the certificate is valid. Verify that the expiration date been extended and compare the output to the initial TSS LIST(acid)
   SEGMENT(CERTDATA) output. It will not contain a private key.
   
   TSS CHKCERT DCDSN(dataset)  
    
7. TSS REPLACE the renewed certificate from the dataset, replacing the existing certificate with any updated information.
   
   TSS REPLACE(acid) DIGICERT(digicert) LABLCERT(certificatelabelname)
   DCDSN(dataset)  
   
   
8. Issue a TSS LIST(acid) DIGICERT(certificate) to verify the replacement certificate looks like the output of the original TSS LIST(acid) DIGICERT(certificate) output
   except that the expiration date has been extended (and most likely the serial number has been changed).
   There should be a private key. If the TSS LIST shows a PRIVATE KEY SIZE, then the certificate has a private key.
   It should have TRUST status.
   
   
9. Recycle any address spaces that reference keyrings with the new certificate.