How Can I replace an expiring or expired user digital certificate signed by a local CA (Certificate Authority)

Document ID : KB000026637
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

The process to replace or update an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a CA, or is a third-party CERTAUTH.

The following process documents the replacement of an expiring user certificate that is signed by a local CA, keeping the same public/private key pair. The local CA must contain a private key.

Instructions:

Example to replace an expiring user certificate signed by a local CA, keeping the same public/private key pair (a local CA contains a private key or it cannot sign another certificate):

 

  1. CHKCERT the certificate you want to renew so you have a record of the starting values, including the CERTDATA record and the keyrings to which it is connected.

  2. EXPORT the user certificate to a dataset to save it---just in case. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.

  3. Issue a GENREQ against the existing CERTDATA record for the expiring certificate. Output will contain the Subject DN and the public key. You will get an ACF68068 message indicating the certificate request has been placed in the designated dataset.

  4. Since your expiring certificate is signed by your own CA, issue a GENCERT with the DSN and SIGNWITH parameters to create a new signed certificate from your certificate request. Use the same signing certificate, CERTAUTH.localca that you used to sign the user cert originally.

  5. Issue a CHKCERT to verify the new certificate looks valid (is the NOT VALID AFTER date what you want?). Note that there is no private key.

  6. EXPORT the newly created certificate. You should get ACF68068 message indicating the certificate has been exported to the dataset.

  7. DELETE the newly created certificate. You should get ACF6D073 message indicating the certificate has been deleted.

  8. INSERT the new certificate from the EXPORT dataset, replacing the existing user CERTDATA record.

  9. Issue a CHKCERT against the new user CERTDATA record to verify it looks the same as the original, except that the NOT VALID AFTER date is updated (usually for one year).

  10. Issue F ACF2,REBUILD(USR),CLASS(P)

  11. Issue F ACF2,OMVS(CERTDATA)

  12. Bounce any address spaces that reference the keyrings to which a replaced certificate is connected

 

Corresponding Commands:

ACF

  1. CHKCERT user.cert

  2. EXPORT user.cert DSN('saved.userid.cert') FORMAT(PKCS12DER) PASSWORD(pkcs12 password)

  3. GENREQ user.cert DSN('genreq.userid.cert')

  4. GENCERT NEWCERT.CERT DSN('genreq.userid.cert') SIGNWITH(CERTAUTH.localCA)

  5. CHKCERT NEWCERT.CERT

  6. EXPORT NEWCERT.CERT DSN('newcert.cert')

  7. SET PROFILE(USER) DIV(CERTDATA)
    DELETE NEWCERT.CERT

  8. INSERT user.cert DSN('newcert.cert') TRUST

  9. CHKCERT user.cert.CERT

  10. F ACF2,REBUILD(USR),CLASS(P)

  11. F ACF2,OMVS(CERTDATA)