[z/OS]

Replacing certificates

When a certificate is renewed or replaced (for example, when the existing certificate is approaching its expiry date), it is not always possible to remove the protection from existing messages that are already on queues protected by confidentiality or privacy policies.

This can occur when the certificate was:
  • Renewed with the same private key, and the reissued certificate has replaced the original certificate
  • Re-keyed with a new private key and the RACDCERT ROLLOVER command has deleted the original private key

Messages will be decrypted, provided the necessary certificate is connected to the keyring of the user; it is no longer required to be connected as the default. This allows messages already on the queue, when the new certificate is connected, to be successfully decrypted.

The following example shows how a new certificate can be generated based on the existing certificate:
  • A new certificate is created based on the existing certificate, with new public/private key pair.
  • The new certificate is signed by the issuing authority.
  • The public key of the old certificate is removed from the keyring of the AMS address space, and the public key of the new certificate is added.
  • The new certificate and private key is added to the keyring of the user, in addition to the old certificate.

RACDCERT ID(user1) REKEY(LABEL('user1'))          -
         WITHLABEL('user1new')                   
                                                
RACDCERT GENREQ(LABEL('user1new')) ID(user1)      -
         DSN(output_data_set_name)                   
                                                
RACDCERT GENCERT(output_data_set_name) ID(user1)  -
         SIGNWITH(CERTAUTH LABEL('AMSCA'))  
                                                
RACDCERT ID(user1) ALTER (LABEL('user1new'))      -
         TRUST                                  
                                                
RACDCERT ID(WMQAMSD) REMOVE(ID(user1)             -
         LABEL('user1')                           -
         RING(drq.ams.keyring)  )                
                                                
RACDCERT ID(WMQAMSD) CONNECT(ID(user1)            -
         LABEL('user1new') USAGE(SITE)            -
         RING(drq.ams.keyring)  )                 
                                                
RACDCERT ID(user1) CONNECT(ID(user1)              -
         LABEL('user1new') USAGE(PERSONAL)        -
         RING(drq.ams.keyring) DEFAULT )

For more information about certificates, labels, and the RACDCERT command, see the z/OS®: Security Server RACF® Command Language Reference and the z/OS: Security Server RACF Security Administrator's Guide.