How to replace an expiring or expired self-signed digital certificate with one that has a new key pair.

Document ID : KB000054942
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

The process to replace or update an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a CA, or is a third-party CERTAUTH.

The following process documents the replacement of an expiring self-signed certificate with a new self-signed certificate with a new public/private key pair.

Solution

  1. EXPORT the expiring certificate to a dataset to save it---just in case.

    1. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.

    2. If the private key is ICSF, consider using the IBM freeware utility called KEYXFER to backup the private key in conjunction with a non-PKCS#12 format to backup the certificate and public key.

  2. REMOVE the old CERTDATA record from any keyrings to which it is connected.

  3. DELETE the CERTDATA record that is being replaced.

  4. Issue F ACF2,REBUILD(USR),CLASS(P )

  5. Issue F ACF2,OMVS(CERTDATA)

  6. Obtain new certificate with new public/private key pair. The certificate may be obtained from another site or you can issue a GENCERT to create your own.

  7. Issue CHKCERT to verify new certificate looks valid (Ensure the NOT VALID AFTER date is what you want).

  8. Repeat steps #4 and #5

  9. CONNECT the new CERTDATA record to all keyrings from which the original was removed.

  10. Bounce any address spaces that reference the keyrings to which the replaced certificate was connected.

  11. Distribute the new certificate to clients, as necessary.

Commands:

    ACF 
    EXPORT selfsign.cert1 DSN('saved.cert') FORMAT(PKCS12DER) - 
    PASSWORD(pkcs12 password) 
    REMOVE CERTDATA(selfsign.cert1) KEYRING(keyring.ring1) 
    SET PROFILE(USER) DIV(CERTDATA) 
    DELETE selfsign.cert1 
    F ACF2,REBUILD(USR),CLASS(P) 
    F ACF2,OMVS(CERTDATA) 
    SET PROFILE(USER) DIV(CERTDATA) 
    INSERT selfsign.cert1 DSN('new.sitecert.cert') PASSWORD(password) or 
    GENCERT selfsign.cert1 SUBJSDN(....etc.......) EXPIRE(mmddyy)                   
    CHKCERT selfsign.cert1 
    F ACF2,REBUILD(USR),CLASS(P) 
    F ACF2,OMVS(CERTDATA) 
    CONNECT CERTDATA(selfsign.cert1) KEYRING(keyring.ring1