Re-sign and renew an expiring Digital Certificate

Document ID : KB000016416
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How do you send an expiring certificate out to a 3rd party Certificate Authority to be renewed?

Question:

A certificate is about to be expired and we need to send the certificate out to our 3rd party Certificate Authority to be re-signed and renewed.

Answer:

If you need to send a certificate out to be resigned and renewed from a 3rd party certificate authority, you must use the TSS GENREQ command. Thats its sole purpose to export the certificate to a dataset in a format conducive to being signed by a 3rd party certificate authority.

The TSS GENREQ builds a PKCS10 package which is the format used to sign and renew certificates.

The TSS GENREQ put the public key in the PKCS10 package for signing. The private key remains on the security file.

When you get the certificate back, you need to add it back to the security file under a new DIGICERT name. You must also add it back to the same original owner of the certificate.