Help to replace an expiring certificate

Document ID : KB000106163
Last Modified Date : 12/07/2018
Show Technical Document Details
Issue:
Have a new certificate in a dataset and need to replace an expiring certificate with it on the keyring.
Resolution:
Here are the commands to put in the new certificate. 

1. Rename LABLCERT to 'EXPIREDCERT' 
TSS REP(owningacid) DIGICERT(CERT1) LABLCERT(EXPIREDCERT) 

The owningacid is the owning acid of the certificate. 

2. Add new certificate to CA Top Secret. 
TSS ADD(owningacid) DIGICERT(CERT2) DCDSN(datasetname) LABLCERT(CERT1) 

'owningacid' should be the the owning acid you use when you did TSS GENREQ command. It is critical that we use the correct owning acid, otherwise the private key will be lost. 

3. Remove old certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT1) 

4. Add new certificate to the keyring 
TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT2) USAGE(PERSONAL) DEFAULT 

The owningacid should be the same as the one used in step 2. 

A recycle is required for the changes to go into effect. 

To backout the changes: 

1. Remove new certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT2) 

2. Put back the old certificate to the keyring 
TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,CERT1) 

3. Rename the LABLCERT: 

TSS REP(owningacid) DIGICERT(CERT2) LABLCERT(NEWCERT) 
TSS REP(owningacid) DIGICERT(CERT1) LABLCERT(CERT1) 
Recycle the address space for the change to go into effect.