How do I replace an expired digital certificate in CA Top Secret for z/OS? - Using the REKEY and ROLLOVER commands

Document ID : KB000027256
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How you replace an expired digital certificate with the TSS REKEY and TSS ROLLOVER command?

Answer:

Two new commands, REKEY and ROLLOVER, have been created to automate the process of replacing an expired Digital Certificate.

These commands were introduced with CA Top Secret for z/OS r8 SP01.

The REKEY command is used to create a new certificate from an existing certificate with a new public/private key pair. The REKEY command is the first step of a rekey - rollover process to retire the use of an existing private key. The REKEY command will also copy the subject's distinguished name, key usage and subject alternate name from the existing certificate. The new certificate is self-signed and saved under the same logonid or CERTAUTH or CERTSITE.

The ROLLOVER subcommand is the final step in the REKEY command, rollover process. ROLLOVER specifies the original certificate that is to be superceded by the new certificate. The ROLLOVER subcommand will perform the following actions:

- Delete the private key of the original certificate (as specified by the LABEL keyword), so that it can no longer be used to sign or encrypt.
- Replace the original certificate with the new certificate (as specified by the LABLCERT keyword) in every key ring that the old certificate is connected to.
- Copy the serial number base from the original certificate to the new certificate.

When the rollover is complete, the new certificate is used as if it were the original certificate. The original certificate will still be available to verify signatures and decrypt data, but can no longer be used to sign or encrypt.

Example:

Acid 'CERTSITE' is the owner of certificate 'JOECERT1'.
DIGICERT(JOECERT1) with a LABLCERT(JOECERT1) has been given to 1000 keyrings. Now, 'JOERCERT1' has expired and needs to be replaced with a new Digital Certificate.

  1. Issue the REKEY command to create a new certificate called 'JOECERT2' based on the expired certificate 'JOECERT1'.
    TSS REKEY(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT2)
  2. Copy JOECERT2 to a dataset so it can be sent to your third party Certificate Authority.
    TSS GENREQ(CERTSITE) DIGICERT(JOECERT2) DCDSN(JOECERT2.CERT.UNSIGNED)
  3. FTP the certificate to be signed by the third party Certificate Authority.
  4. Rename the LABLCERT of JOECERT1 to something else.
    TSS REP(CERTSITE) DIGI(JOECERT1) LABLCERT('JOE1CERT OLD')
  5. Add the signed certificate to TOP SECRET under a new DIGICERT name called JOECERT3 and a LABLCERT of JOECERT1.
    TSS ADD(CERTSITE) DIGICERT(JOE3CERT) -
    DCDSN(JOECERT2.CERT.SIGNED) -
    TRUST LABLCERT('JOECERT1')
  6. Use the ROLLOVER command to propagate the new 'JOECERT3' certificate to the 1000 keyrings with just one command.
    TSS ROLLOVER(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT3)

If you are running CA Top Secret r8 SP00 or older, the following sequence of commands can be used to replace the expired Digital Certificate.

  1. Copy the expired certificate JOECERT1's public key to a dataset.
    TSS GENREQ(CERTSITE) DIGICERT(JOECERT1) DCDSN(JOECERT1.CERT. UNSIGNED)
  2. FTP the certificate to be signed by the third party Certificate Authority.
  3. Add the signed certificate to Top Secret under a new DIGICERT name called TEMP.
    TSS ADD(CERTSITE) DIGICERT(TEMP) -
    DCDSN(JOECERT1.CERT.SIGNED) -
    TRUST LABLCERT('TEMP')
  4. Copy the certificate to a dataset.
    TSS EXPORT(CERTSITE) DIGICERT(TEMP) DCDSN(TEMP.CERT.SIGNED) FORMAT(CERTDER)
  5. Delete the TEMP certificate.
    TSS REM(CERTSITE) DIGICERT(TEMP)
  6. Add the certificate back under the certificate name JOECERT1.
    TSS REP(CERTSITE) DIGICERT(JOECERT1) DCDNS(TEMP.CERT.SIGNED) TRUST

Please refer to the CA Top Secret for z/OS Command Functions Guide and the CA Top Secret for z/OS Cookbook for greater details about the CA Top Secret commands used in this document.