search cancel

In Top Secret, Replace Expiring Digital Certificate Signed By Local Certificate Authority


Article ID: 52804


Updated On:




The process to replace or renew an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a CA, or is signed by a third-party Certificate Authority (CA). The following process documents the replacement of an expiring user certificate that is signed by a local CA, keeping the same public/private key pair.


Component: AWAGNT



To replace an expiring user certificate signed by a local CA and keeping the same public/private key pair.

Note: The local CA must contain a private key, so it can be used to sign a certificate.

To determine if the local CA has a private key, issue a:

TSS LIST(acid) SEGMENT(CERTDATA) for the owner of the certificate. If the TSS LIST shows a PRIVATE KEY SIZE, then the certificate has a private key. Steps:

  1. Issue a TSS LIST(acid) SEGMENT(CERTDATA) for the certificate that will be renewed and save the output, so there is a record of the starting values.

  2. TSS EXPORT the user certificate to save it to a dataset. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.
    TSS EXPORT(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.backup.dataset) -FORMAT(PKCS12DER) PKCSPASS(password) 
  3. Issue a TSS GENREQ for the expiring digital certificate to write it to a dataset, which will contain the subject distinguished name and the public key.
    TSS GENREQ(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.public.key.dataset)
  4. Since the expiring certificate is signed by the local CA, issue a TSS GENCERT with the DCSN and SIGNWITH keyword to create a new signed certificate.
    TSS GENCERT(acid) DIGICERT(newdigicertname) - DCDSN(expiring.digicert.public.key.dataset) - SIGNWITH(acid,localCAdigicertname) NADATE(mm/dd/yy) TRUST
    Use the same signing certificate in the SIGNWITH keyword that was used to sign it originally.

  5. Issue a TSS LIST(acid) SEGMENT(CERTDATA) for the owner of the certificate to verify the new certificate.

  6. TSS EXPORT the newly created certificate.
    TSS EXPORT(acid) DIGICERT(newdigicertname) DCDSN(newdigicert.dataset) - FORMAT(CERTDER)
  7. TSS REMOVE the newly created certificate from the CA Top Secret Security File.
    TSS REMOVE(acid) DIGICERT(newdigicertname)
  8. TSS REPLACE the expiring certificate with the one just TSS EXPORTed.
    TSS REPLACE(digicert) DIGICERT(digicert) LABLCERT(certificatelabelname)  DCDSN(newdigicert.dataset)
  9. Issue TSS LIST(acid) SEGMENT(CERTDATA) against the owner of the certificate to verify that it is the same as the original. The NOT VALID AFTER date should have been has been updated.

  10. Recycle any address spaces that reference keyrings with the new certificate.

Please see the CA Top Secret Cookbook for more details about the TSS Digital Certificates commands.