The process to replace or renew an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a CA, or is signed by a third-party Certificate Authority (CA). The following process documents the replacement of an expiring user certificate that is signed by a local CA, keeping the same public/private key pair.
To replace an expiring user certificate signed by a local CA and keeping the same public/private key pair.
Note: The local CA must contain a private key, so it can be used to sign a certificate.
To determine if the local CA has a private key, issue a:
TSS LIST(acid) SEGMENT(CERTDATA) for the owner of the certificate. If the TSS LIST shows a PRIVATE KEY SIZE, then the certificate has a private key. Steps:
TSS EXPORT(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.backup.dataset) -FORMAT(PKCS12DER) PKCSPASS(password)
TSS GENREQ(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.public.key.dataset)
TSS GENCERT(acid) DIGICERT(newdigicertname) - DCDSN(expiring.digicert.public.key.dataset) - SIGNWITH(acid,localCAdigicertname) NADATE(mm/dd/yy) TRUSTNote:
TSS EXPORT(acid) DIGICERT(newdigicertname) DCDSN(newdigicert.dataset) - FORMAT(CERTDER)
TSS REMOVE(acid) DIGICERT(newdigicertname)
TSS REPLACE(digicert) DIGICERT(digicert) LABLCERT(certificatelabelname) DCDSN(newdigicert.dataset)
Please see the CA Top Secret Cookbook for more details about the TSS Digital Certificates commands.