How To Replace An Expiring User Digital Certificate Signed By Local Certificate Authority?


Article ID: 52804


Updated On:


CA Cleanup CA Datacom CA DATACOM - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE



The process to replace or renew an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a CA, or is signed by a third-party Certificate Authority (CA).

The following process documents the replacement of an expiring user certificate that is signed by a local CA, keeping the same public/private key pair.



To replace an expiring user certificate signed by a local CA and keeping the same public/private key pair.

Note: The local CA must contain a private key, so it can be used to sign a certificate.

To determine if the local CA has a private key, issue a:

TSS LIST(acid) SEGMENT(CERTDATA) for the owner of the certificate. If the TSS LIST shows a PRIVATE KEY SIZE, then the certificate has a private key. Steps:

  1. Issue a TSS LIST(acid) SEGMENT(CERTDATA) for the certificate that will be renewed and save the output, so there is a record of the starting values.

  2. TSS EXPORT the user certificate to save it to a dataset. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.
    TSS EXPORT(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.backup.dataset) -FORMAT(PKCS12DER) PKCSPASS(password) 
  3. Issue a TSS GENREQ for the expiring digital certificate to write it to a dataset, which will contain the subject distinguished name and the public key.
    TSS GENREQ(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.public.key.dataset)
  4. Since the expiring certificate is signed by the local CA, issue a TSS GENCERT with the DCSN and SIGNWITH keyword to create a new signed certificate.
    TSS GENCERT(acid) DIGICERT(newdigicertname) - DCDSN(expiring.digicert.public.key.dataset) - SIGNWITH(acid,localCAdigicertname) NADATE(mm/dd/yy) TRUST
    Use the same signing certificate in the SIGNWITH keyword that was used to sign it originally.

  5. Issue a TSS LIST(acid) SEGMENT(CERTDATA) for the owner of the certificate to verify the new certificate.

  6. TSS EXPORT the newly created certificate.
    TSS EXPORT(acid) DIGICERT(newdigicertname) DCDSN(newdigicert.dataset) - FORMAT(CERTDER)
  7. TSS REMOVE the newly created certificate from the CA Top Secret Security File.
    TSS REMOVE(acid) DIGICERT(newdigicertname)
  8. TSS REPLACE the expiring certificate with the one just TSS EXPORTed.
    TSS REPLACE(digicert) DIGICERT(digicert) LABLCERT(certificatelabelname)  DCDSN(newdigicert.dataset)
  9. Issue TSS LIST(acid) SEGMENT(CERTDATA) against the owner of the certificate to verify that it is the same as the original. The NOT VALID AFTER date should have been has been updated.

  10. Recycle any address spaces that reference keyrings with the new certificate.
Please see the CA Top Secret Cookbook for more details about the TSS Digital Certificates commands.


Component: AWAGNT