Replacing an Expiring Certificate Signed by a Local CA

Document ID : KB000018142
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The steps to take to extend the dates on a certificate vary depending on where the certificate was generated and how it was signed.

If the Certificate was generated on site and signed by a local CA, meaning a CA certificate also generated on site, then the following steps can be taken to extend the date.

Solution:

**Step one insures that if any mistakes are made that the original certificate

can be obtained and put back into place**

  1. Backup the certificate about to expire.

    TSS EXPORT(usera) DIGICERT(SERVER) DCDSN(usera.SERVER.P12)
    PKCSPASS(password) FORMAT(PKCS12DER)

  2. GENREQ the certificate to a dataset.

    TSS GENREQ(usera) DIGICERT(SERVER) DCDSN(usera.SERVER.P10)

  3. Generate a new temporary certificate with a new NADATE and sign it with the expiring certificate.

    TSS GENCERT(usera) DIGICERT(TEMP) DCDSN(usera.SERVER.P10) NADATE(02/01/24)
    SIGNWITH(usera,SERVER)

  4. Export the certificate to a dataset:

    TSS EXPORT(usera) DIGICERT(TEMP) DCDSN(usera.TEMP.DER) FORMAT(CERTDER)

  5. Remove the temporary certificate.

    TSS REMOVE(usera) DIGICERT(TEMP)

  6. Replace the expiring certificate with the new certificate that has a new expiration date.

    TSS REP(usera) DIGICERT(SERVER) DCDSN(usera.TEMP.DER) TRUST

  7. Recycle any address space(s) that reference a keyring with the new certificate.