Steps for rekeying a certificate issued by an external CA

In this procedure, you are renewing a CERTAUTH certificate with label 'Local PKI CA'. It was issued by a commercial CA and is being used by PKI Services for the PKI templates as a certificate authority (CA) certificate, making the PKI Services CA a subordinate CA. The PCI cryptographic coprocessor will to be used to generate the new key pair. The size of the new private key will be 2048 bits (RACF® default size).

Perform the following steps to rekey a certificate issued by an external certificate authority using a new private key.
  1. Initiate® the rekeying by executing the following RACF command: 
    RACDCERT CERTAUTH REKEY(LABEL('Local PKI CA')) 
   WITHLABEL('Local PKI CA-2') PKDS

    ______________________________________________________________________

  2. Create a request for an external CA to sign the new public key and reissue the certificate. Create the request for the new key and store it in MVS™ data set 'SYSADM.CERT.REQ' by executing the following command:
    RACDCERT CERTAUTH GENREQ(LABEL('Local PKI CA-2')) DSN('SYSADM.CERT.REQ')

    ______________________________________________________________________

  3. Send the certificate request to the CA and receive the newly signed and reissued certificate back from the CA into MVS data set 'SYSADM.CERT.B64'.

    Restriction: The certificate request data contained in the data set must be sent to, and received from, the external CA using the process defined by the CA. Those steps are not included.

    ______________________________________________________________________

  4. Add the newly signed certificate into RACF under CERTAUTH which is used in step 1 to replace the self-signed rekeyed certificate by executing the following command: 
    RACDCERT CERTAUTH ADD('SYSADM.CERT.B64')

    ______________________________________________________________________

  5. You are now ready to retire the original certificate and must stop all use of the original private key. If you are rekeying the PKI Services CA certificate, stop the PKI Services daemon.

    At this point, the original certificate and its private key exist in RACF with label 'Local PKI CA'. The new certificate and its private key exist in a separate entry in RACF with label 'Local PKI CA-2'. You can proceed to rollover the key.

    ______________________________________________________________________

  6. Finalize the rollover by entering the following command: 
    RACDCERT CERTAUTH ROLLOVER(LABEL('Local PKI CA')) 
   NEWLABEL('Local PKI CA-2')

    ______________________________________________________________________

  7. If you rekeyed the PKI Services CA certificate for the PKI templates, restart the PKI Services daemon.

    ______________________________________________________________________

You have now rekeyed a certificate that was issued by an external certificate authority, using a new private key. All information in the certificate is updated to reflect the renewal, including the key ring connection information. You have retired and replaced the old certificate. You can now begin to use the new certificate and its private key. You can continue to use the old certificate for signature verification purposes until it expires. However, you cannot use the old certificate to sign new certificates. Additionally, do not connect the old certificate to any key rings, as the default certificate.