How can I convert a SHA-1 certificate to a SHA-2 certificate?

Document ID : KB000013332
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I convert a SHA-1 certificate to a SHA-2 certificate?

Answer:

In order to convert a a SHA-1 certificate to a SHA-2 certificate the certificate would have to be re-signed by a SHA-2 CERTAUTH certificate.

If the SHA-1 certificate is signed by a Local CA CERTAUTH certificate the TSO, ACF, RENEW command can be issued to re-sign the certificate with a SHA-2 CA CERTAUTH certificate. For example:

ACF
SET PROFILE(USER) DIV(CERTDATA)
Renew SHATEST.CERT signwith(CERTAUTH.STEST)

  where SHATEST.CERT is a SHA-1 certificate
           CERTAUTH.STEST is a SHA-2 certificate

If the SHA-1 certificate is signed by an External CA CERTAUTH certificate the GENREQ command can be issued against the SHA-1 certificate to create a package in a PKCS #10 format, and write it to a data set. This certificate request can then be sent to the Certification Authority, which can then re-sign the certificate with a SHA-2 CERTAUTH certificate and return the signed certificate along with the new signing SHA-2 CERTAUTH certificate. As part of the renewal process, the newly signed certificate is eventually inserted on top of the original certificate which will now be a SHA-2 certificate. For example:

ACF
SET PROFILE(USER) DIV(CERTDATA)
GENREQ SHATEST.CERT DSN('my.SHATEST.CERT.GENREQ')

The DSN('my.SHATEST.CERT.GENREQ') is sent to the external CA for renewal/re-signing. The External CA renews/re-signs the certificate and returns the signed certificate.

ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT SHATEST.CERT DSN('my.SHATEST.CERT.signed')

  where SHATEST.CERT is a SHA-1 certificate

To verify the conversion of the SHA-1 certificate to a SHA-2 certificate, issue the CHKCERT command against the certificate before and after the conversion and verify the "Signature Algorithm:" has changed from sha-1 to sha-2.