Renewing a CA signed certificate

Certificate authority (CA) signed certificates are only valid for a limited period of time. If a certificate is close to expiry, it is possible to renew a certificate by recreating a new certificate signing request.

Before you begin

The new certificate signing request will contain the same details as the previous certificate.

To renew a self-signed certificate, a new certificate must be created. For more information, refer to Self Signing Digital Certificates.

About this task

For the purpose of this example, Db2 is assumed to have already been pre-configured with a key database and a password stored in a stash file. We will refer to this keystore as server.p12 in this example. This server.p12 is also presumed to have been configured with a CA-signed certificate by the label of CA-Signed.

Procedure

  1. Identify the expiring certificate and label by running: 
          $ gsk8capicmd_64 -cert -list -db server.p12 -stashed
 
          Certificates found
          * default, - personal, ! trusted, # secret key
          !       My_CA_Root
          -      CA-Signed   <-----

      $ gsk8capicmd_64 -cert -details -label "CA-Signed" -db server.p12 -stashed
 
          Label : CA-Signed
          Key Size : 1024
          Version : X509 V3
          Serial : 7f9e2b79e210cc26
          Issuer : CN=CA,O=CA,C=US
          Subject : CN=host.mycompany.com,OU=unit,O=company
          Not Before : May 6, 2018 9:32:48 AM PDT
          Not After : May 6, 2019 9:32:48 AM PDT M  <------------------
          ...
  2. Recreate the certificate signing request for CA-Signed by running: 
    gsk8capicmd_64 -certreq -recreate -db server.p12 -stashed -label "CA-Signed" -target new_cert_request.csr
  3. Send the resulting new_cert_request.csr certificate to be signed by the original Certificate Authority (CA).
  4. Once the signed certificate has been returned, then receive it back into your server keystore by running: 
    gsk8capicmd_64 -cert -receive -db server.p12 -stashed -file new_cert_signed.pem
    In this example, the returned certificate is called new_cert_signed.pem.
  5. Verify the new dates on the received certificate by running: 
         gsk8capicmd_64 -cert -details -label CA-Signed -db server.p12 -stashed
 
          Label : CA-Signed
          Key Size : 1024
          Version : X509 V3
          Serial : 61840a0badecc11a
          Issuer : CN=CA,O=CA,C=US
          Subject : CN=host.mycompany.com,OU=unit,O=company
          Not Before : May 6, 2021 9:59:05 AM PDT
          Not After : *May 6, 2022 9:59:05* AM PDT
  6. If the Db2 level is version 11.1 Mod Pack 4 and Fix Pack 5 or later, refresh the SSL certificate used by Db2 by attaching to the instance and updating the SSL_SVR_LABEL database manager configuration parameter. This can be done by running: 
    db2 attach to <instance name>
db2 update dbm cfg using SSL_SVR_LABEL CA-Signed
    The DB2_DYNAMIC_SSL_LABEL registry variable must be set to ON to enable SSL_SVR_LABEL changes while the instance is running. This registry variable can be set immediately with the following command:
    db2set -im DB2_DYNAMIC_SSL_LABEL=ON
  7. If the Db2 level is version 11.1 Mod Pack 4 and Fix Pack 4 or earlier, the instance must be recycled for the new certificate to take effect. This can be done by running: 
    db2stop
db2start