TSS1525E CERTIFICATE ALREADY EXISTS WITH THIS SERIAL/ISSUERDN

Document ID : KB000047298
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms:

TSS0301I GENCERT FUNCTION FAILED, RETURN CODE = 4 
TSS1525E CERTIFICATE ALREADY EXISTS WITH THIS SERIAL/ISSUERDN 

Cause:

You cannot have two certificates with the same SUBJECTN on the security file.

Resolution/Workaround:

There are a few ways to work with this but the bottom line is that the SUBJECTN cannot be the exact same SUBJECTN as any other certificate on the security file.  Many sites want to keep the CN=, OU= and the O= the same for all certificates.  One way of doing this is to add a T="different title for each certificate".

Other ways to keep everything exactly the same are the following:

A) You can Export the current certificate using FORMAT(PKCS12DER) and PKCSPASS(password) to a dataset and then Remove the current certificate from the owning acid. Exporting the certificate is just to provide a backup of the certificate. Create the new certificate and then issue a Genreq and send it out to be signed. Add it back with a slightly different name to pair the keys and add to keyring. This of course leaves time without a certificate while you are waiting for the new certificate to be signed. 

1) TSS EXPORT(owning acid) DIGICERT(digicertname) FORMAT(PKCS12DER) - 

DCDSN(dataset name) PKCSPASS(password) 

2) TSS REMOVE(owning acid) DIGICERT(digicertname) LABLCERT(if different than digicertname)

3) TSS GENCERT(owning acid) DIGICERT(digicertname) SUBJECTN(xxxxxxxxxx) NADATE(n/nn/nn)

4) TSS GENREQ(USERA) DIGICERT(digicertname) DCDSN(datasetname) 

5)  Send the certificate out to be signed by the third party CA. 

6) TSS ADD(owning acid ) DIGICERT(newdigicertname) DCDSN(datasetname) 

7) TSS ADD(acid) KEYRING(ringname) RINGDATA(owning acid,digicertname) USAGE(usage)

 


B)  If you have another system that you can create the new certificate on you can follow the below instructions/commands: 

1. TSS GENCERT(owning acid) DIGICERT(digicertname) - 
SUBJECTN(xxxxxxxxxx) NADATE(n/nn/nn)    **Done on second system**

2. TSS GENREQ(owning acid) DIGICERT(digicertname) DCDSN(datasetname) **Done on second system**

3. Send the certificate out to be signed by the third party CA.

4. TSS ADD(owning acid) DIGICERT(newdigicertname) DCDSN(datasetname) 
Add the signed certificate back to the original acid under a new DIGICERT 
name, so that the private key will be reconnected.  **Done on second system**

5. TSS EXPORT(owning acid) DIGICERT(expiringdigicertname) FORMAT(PKCS12DER) - 
PKCSPASS(password) DCDSN(dataset name)  **Done from second system**
Please keep the password somewhere safe. There is no way to recover it once lost. 

6. TSS REMOVE(owning acid) DIGICERT(expiringdigicertname) 
Remove the expiring digital certificate from the digital certificate. **Done on original system**

7. TSS ADD(owning acid) DIGICERT(newdigicertname) FORMAT(PKCS12DER) - 
PKCSPASS(password) DCDSN)dataset name)
Add the new certificate to the security file.  **Done on original system**

8. TSS ADD(acid) KEYRING(keyringname) RINGDATA(owning acid,newdigicert) 
Add the certificate to the appropriate keyring.  **Done on original system**