Losing the private key after getting the certificate back their Certificate Signing Request from a 3rd party Certificate Authority.

Document ID : KB000017619
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Generated a certificate signing request with the TSS GENREQ commands so it can be signed by a 3rd party Certificate Authority like Verisign.

When the certificate is returned from the 3rd party Certificate Authority (ie Verisign), added back to the CA Top Secret Security File, and then TSS LIST the certificate, the private key is lost. The private keysize no longer shows up in the TSS LIST display which indicates no private key.

Solution:

When adding the certificate back to the CA Top Secret Security File, it must be added back to the original owning acid under a new DIGICERT name.


   TSS ADD(original_owning_acid) DIGICERT(new_digicertname) DCDSN(signed.certificate.datasetname) TRUST

When you TSS GENREQ a certificate on the CA Top Secret Security File to be signed by a 3rd party Certificate Authority, the private key and public key are separated.

The private key of the certificate remains on the CA Top Secret Security File.

The public key is written to a dataset and needs to be sent to the 3rd Party Certificate Authority to be signed.

Once the certificate is signed and returned to you, it must be added back to the original owner of the certificate so that the private key and the public key will get re-united.

If the certificate is added back to a different acid, the private key cannot be re-united with the public key.

The private key can also be lost, if you delete the original certificate. The original certificate must not be deleted until the newly signed certificate has been successfully added back to the CA Top Secret Security File.

Once the signed certificate has been added back to the CA Top Secret Security File successfully, the original unsigned certificate can be deleted.