How to migrate Secure+ to a new site certificate

Body

How to migrate Secure+ to a new site certificate

You can leave the certificate and load the new one. The new one would have to have a new label name.

How much work you want to do will determine whether you want to have both in the keyring/key database or not.

1. If you remove the old certificate and load the new one using the same certificate label name you don't have to do anything to your Secure+. But you need to ensure that all of your remote Secure+ trading partners have your new certificate loaded to their respective systems and that they are aware that you are going to start using a new site certificate on a certain date. Otherwise you are going to have problems with certificates not matching.

2. If you decide that you want to keep the old certificate and load the new certificate you have two courses of action to take. This would be where you know your current site certificate is about to expire and you want to have the new one in place and ready to go. Regardless of which option you take you have to ensure that your remote Secure+ trading partners have your new certificate loaded.

A. You can load the new certificate with a new certificate label name. Don't change the TLS/SSL Certificate Label Name of the Secure+ PARMFILE local definition. Then in each remote node definition enter the new certificate label name in the TLS/SSL Certificate Label Name in place of the asterisk ( * ) as each of your remote nodes verifies that they have your new certificate loaded to their system. Once you have all of your remote trading partners using the new certificate update your Secure+ PARMFILE:

1) Change the Secure+ PARMFILE local node to point to the new certificate label in the TLS/SSL Certificate Label Name.

2) Change all of your Secure+ PARMFILE remote node definitions back to an asterisk ( * ) in the TLS/SSL Certificate Label Name field.

B. You can load the new certificate with a new certificate label name. Update all of your Secure+ PARMFILE remote node definitions with the old certificate label name in the TLS/SSL Certificate Label Name field in place of the asterisk ( * ). In the Secure+ PARMFILE local node definition change the TLS/SSL Certificate Label Name to point to the new site certificate instead of the old one. Then as your remote Secure+ trading partners confirm that they have your new certificate loaded and available change the remote nodes from the old certificate label name to a asterisk ( * ). At some point you will either have all of the remote nodes back to defaulting to the local node for the Certificate Label Name or you will have to make a decision that everyone has to be on the new certificate regardless. Of course when the old one expires they will be forced to the new one whether they want to or not.

Regardless of which option you decide to take you must ensure that the remote trading partner has your new certificate and has it loaded.