Renewal of the OpenSSL client and server certificates used with CA XCOM for z/OS

Document ID : KB000006693
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We need to renew/replace the expiring OpenSSL client and server certificates that are used with CA XCOM for z/OS. The OpenSSL ca certificate has not expired and we would like to continue to use it. What are the procedures to accomplish this?

Environment:
XCOM r11.6 and r12.0 for z/OS
Resolution:

If you used the XCOM sample "make" scripts to generate your SSL certificates for z/OS you will need to:

a. backup your ssl directory and configssl.cnf 

b. remove all the files and/or directories: 

    - all index.* files 

    - all serial and serial.* files 

    - the certs and private directories 

    - the random.pem file 

c. set your new expiration dates in your cassl.conf file, parameter "default_days=" 

d. run makeca script only 

e. at this point the certs and private directories are created and will contain a cassl.pem and a casslkey.pem. You want to replace them with your existing cassl.pem and casslkey.pem that have not expired. 

   - so, delete the cassl.pem and casslkey.pem in the directories 

   - copy your existing cassl.pem and casslkey.pem that have not expired to the certs and private directories 

d. run the makeclient, makeserver scripts. 

e. run the listca, listclient, listserver scripts to verify your expiration dates 

f. run a loopback transfers to make sure the certificates are valid. 

 

The above instructions are only valid if you used our sample "make" scripts. If your certificates were acquired via a third party vendor then you need to check with your Security Admin for those procedures.