How do you replace an expiring/expired digital certificate with the TSS REKEY and TSS ROLLOVER commands?

Release: TOPSEC00200-15-Top Secret-Security
Component:

The TSS REKEY and TSS ROLLOVER commands allow you to automate the process of replacing an expired Digital Certificate.

The TSS REKEY command is used to create a new certificate from an existing certificate with a new public/private key pair. The TSS REKEY command is the first step of a rekey - rollover process to retire the use of an existing private key. The TSS REKEY command will also copy the subject's distinguished name, key usage and subject alternate name from the existing certificate. The new certificate is self-signed and saved under the same ACID or CERTAUTH or CERTSITE.

The TSS ROLLOVER subcommand is the final step in the REKEY command, rollover process. TSS ROLLOVER specifies the original certificate that is to be superseded by the new certificate. The TSS ROLLOVER subcommand will perform the following actions:

- Delete the private key of the original certificate (as specified by the LABEL keyword), so that it can no longer be used to sign or encrypt.
- Replace the original certificate with the new certificate (as specified by the LABLCERT keyword) in every key ring that the old certificate is connected to.
- Copy the serial number base from the original certificate to the new certificate.

When the rollover is complete, the new certificate is used as if it were the original certificate. The original certificate will still be available to verify signatures and decrypt data, but can no longer be used to sign or encrypt.

Example:

Acid 'CERTSITE' is the owner of certificate 'JOECERT1'.
DIGICERT(JOECERT1) with a LABLCERT(JOECERT1) has been given to 1000 keyrings.
Now, 'JOERCERT1' has expired and needs to be replaced with a new Digital Certificate.

1) Issue the TSS REKEY command to create a new certificate called 'JOECERT2' based on the expired certificate 'JOECERT1'.

    TSS REKEY(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT2) KEYSIZE(nnnn)

    where 'nnnn' is the size of the private encryption key in decimal bits.
       (This can be found by doing a TSS LIST(acid) DIGICERT(certname) and looking for:
       PRIVATE KEY SIZE = nnnn )

2) Copy JOECERT2 to a dataset so it can be sent to your third party Certificate Authority.

    TSS GENREQ(CERTSITE) DIGICERT(JOECERT2) DCDSN(JOECERT2.CERT.UNSIGNED)

3) FTP the certificate to be signed by the third party Certificate Authority.

4) Rename the LABLCERT of JOECERT1 to something else.

    TSS REP(CERTSITE) DIGI(JOECERT1) LABLCERT('JOE1CERT OLD')

5) Add the signed certificate to Top Secret under a new DIGICERT name called JOECERT3 and a LABLCERT of JOECERT1.

    TSS ADD(CERTSITE) DIGICERT(JOE3CERT) -
    DCDSN(JOECERT2.CERT.SIGNED) -
    TRUST LABLCERT('JOECERT1')

6) Use the TSS ROLLOVER command to propagate the new 'JOECERT3' certificate to the 1000 keyrings with just one command.

    TSS ROLLOVER(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT3)

REKEY

ROLLOVER