Renew an expiring certificate

Document ID : KB000105694
Last Modified Date : 06/07/2018
Show Technical Document Details
Issue:
Need to renew a certificate that is about to expired.

Issued a TSS GENREQ against the expiring certificate and sent it out to be signed by a 3rd party Certificate Authority.

Downloaded the signed certificate to a dataset and need to know how to implement the new certificate.
Resolution:
Here are the commands to put in the new certificate. 

1. Rename LABLCERT to 'EXPIREDCERT' 
TSS REP(owningacid) DIGICERT(OLDCERT) LABLCERT(EXPIREDCERT) 

The owningacid is the owning acid of the certificate. 

2. Add new certificate to CA Top Secret. 
TSS ADD(owningacid) DIGICERT(NEWCERT) DCDSN(datasetname) LABLCERT(OLDCERT) 

'owningacid' should be the the owning acid you use when you did TSS GENREQ command. It is critical that we use the correct owning acid, otherwise the private key will be lost. 

3. Remove old certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,OLDCERT) 

4. Add new certificate to the keyring 
TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,NEWCERT) USAGE(PERSONAL) DEFAULT 

The owningacid should be the same as the one used in step 2. 

A recycle is required for the changes to go into effect. 

To backout the changes: 

1. Remove new certificate from keyring. 
TSS REM(TCP) KEYRING(DALKRING) RINGDATA(owningacid,NEWCERT) 

2. Put back the old certificate to the keyring TSS ADD(TCP) KEYRING(DALKRING) RINGDATA(owningacid,OLDCERT) 

3. Rename the LABLCERT: 

TSS REP(owningacid) DIGICERT(NEWCERT) LABLCERT(NEWCERT) 
TSS REP(owningacid) DIGICERT(OLDCERT) LABLCERT(OLDCERT) 

Recycle the address space for the change to go into effect.