How to replace an expiring or expired user digital certificate signed by a third party Certificate Authority (CA) keeping the same key pair.

Document ID : KB000025832
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

The process to replace or renewal of an expiring certificate differs slightly depending on whether the certificate is self-signed, signed by a local Certificate Authority, or signed by a third-party Certificate Authority like Verisign or Geotrust.

The following process documents the replacement of an expiring user certificate that has been signed by a third-party Certificate Authority such as Verisign or Geotrust.

These expiring certificates have to be sent off to the Certifying Authority to be renewed. In this process, the original public/private key pair is retained.

Answer:

Example:

Replace an expiring/expired user certificate signed by a third party Certificate Authority keeping the same public/private key pair.

Steps:

  1. Issue a TSS LIST(acid) SEGMENT(CERTDATA) for the certificate that will be renewed and save the output, so there is a record of the starting values.

  2. TSS EXPORT the user certificate to save it to a dataset. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.

    1. If the private key is non-ICSF, use PKCS#12 format to save the certificate and its public/private key pair.

      TSS EXPORT(acid) DIGICERT(expiringdigicert) DCDSN(expiring.digicert.backup.dataset) -
      FORMAT(PKCS12DER) PKCSPASS(password)

    2. If the private key is ICSF, consider using the IBM freeware utility called KEYXFER to backup the private key in conjunction with a non- PKCS#12 format (CERTDER) to backup the certificate and public key.

  3. Issue a TSS GENREQ for the expiring digital certificate to write it to a dataset, which will contain the subject distinguished name and the public key.

    TSS GENREQ(acid) DIGICERT(expiringdigicert) - DCDSN(expiring.digicert.public.key.dataset)

  4. Send the dataset to the Certificate Authority to be renewed.

  5. Issue TSS CHKCERT to verify the certificate is valid. Has the expiration date been extended? How does the output compare to the initial TSS LIST(acid)
    SEGMENT(CERTDATA) output.

    TSS CHKCERT DCDSN(dataset) PKCSPASS(password)

    Note: PKCSPASS keyword can be omitted if the certificate was not password protected.

  6. TSS REPLACE the renewed certificate from the dataset, replacing the existing certificate.

    TSS REPLACE(acid) DIGICERT(digicert) LABLCERT(certificatelabelname)
    DCDSN(dataset) PKCSPASS(password) TRUST

    Note: PKCSPASS keyword can be omitted if the certificate was not password protected.

  7. Issue a TSS LIST(acid) SEGMENT(CERTDATA) to verify the replacement certificate looks like the output of the original TSS LIST(acid) SEGMENT(CERTDATA) output
    except that the expiration date has been extended.

    There should be a private key. If the TSS LIST shows a PRIVATE KEY SIZE, then the certificate has a private key.

    It should have TRUST.

  8. Recycle any address spaces that reference keyrings with the new certificate.