Certificate for the Configuration Tool on Liberty expired

If you are using RACF® as your SAF product and the certificates for the Configuration Tool on Liberty are expired, you can renew the certificates by running RACF commands .

Problem

When you access the Configuration Tool in a web browser, the following error message indicating an expired certificate is displayed:
<your-hostname>:port uses an invalid security certificate.
The certificate is not trusted becasue the issuer certificate has expired.
Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE

Solution

Perform the following steps to renew the CA certificate and the server certificate:
  1. Run the following commands to renew the CA certificate:
    RACDCERT CERTAUTH REKEY(LABEL('HBOCA')) 
   WITHLABEL('HBOCA1') NOTAFTER(DATE(2034/12/31))
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
RACDCERT CERTAUTH ROLLOVER(LABEL('HBOCA')) 
   NEWLABEL('HBOCA1')
RACDCERT DELETE(LABEL('HBOCA')) CERTAUTH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
RACDCERT CERTAUTH ALTER(LABEL('HBOCA1')) NEWLABEL('HBOCA')
  2. Run the following commands to renew the server certificate:
    RACDCERT ID(HBOSTCID) REKEY(LABEL('HBODefaultCert'))
WITHLABEL('HBODefaultCert1') 
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
RACDCERT ID(HBOSTCID) GENREQ(LABEL('HBODefaultCert1')) 
   DSN('userid.CERT.REQ')
RACDCERT ID(HBOSTCID)GENCERT('userid.CERT.REQ') 
   SIGNWITH(CERTAUTH LABEL('HBOCA')) NOTAFTER(DATE(2034/12/31))
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
RACDCERT ID(HBOSTCID) ROLLOVER(LABEL('HBODefaultCert')) 
   NEWLABEL('HBODefaultCert1')
RACDCERT DELETE(LABEL('HBODefaultCert')) ID(HBOSTCID)
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
RACDCERT ID(HBOSTCID) ALTER(LABEL('HBODefaultCert1'))
NEWLABEL('HBODefaultCert')
    Ensure to replace userid in the above sample with the current user ID that you use to log in.
  3. Run the following commands to export the certificates.
    RACDCERT CERTAUTH EXPORT(LABEL('HBOCA'))
FORMAT(CERTB64) DSN('userid.HOSTNAME.CA.CER')
PASSWORD('WELCOME')
  4. Use the BINARY mode to transfer the certificates to the local system.
  5. Delete the old certificates and import the new certificates on your browser.