Renewal of OpenSSL certificate for use by CA XCOM for z/OS

Document ID : KB000006857
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We need to renew the OpenSSL certificates used with CA XCOM for z/OS that will expire next month. What would be the procedure to follow?

Environment:
CA XCOM r11.6 or r12.0 for z/OS
Resolution:

If you used the XCOM sample "make" scripts to generate your SSL certificates for z/OS you will need to: 

a. backup your ssl directory and configssl.cnf 

b. remove all the files and/or directories: 

- all index.* files 

- all serial and serial.* files 

- the certs and private directories 

- the random.pem file 

c. set your new expiration dates in your cassl.conf file, parameter "default_days=" and modify the "makeca" scripts OPENSSL command: 

           Openssl req x509 newkey rsa out ./certs/cassl.pem outform PEM -days nnn 

    where "nnn" is the amount of days you want to certificate to be valid for. 

NOTE: This is documented in our XCOM Admin guide. 

d. run the makeca, makeclient, makeserver scripts. 

e. run the listca, listclient, listserver scripts to verify your expiration dates 

f. run a loopback transfers to make sure the certificates are valid. 

The above instructions are only valid if you used our sample "make" scripts. If your certificates were acquired via a third party vendor then you need to check with your Security Admin for those procedures. 

Additional Information:

You may find similar Knowledge Documents for CA XCOM for Windows/Linux/Unix while searching for related documents.