In this procedure, you are renewing a CERTAUTH certificate with
label 'Local PKI CA'. It was issued by a commercial
CA and is being used by PKI Services for the PKI templates as a certificate
authority (CA) certificate, making the PKI Services CA a subordinate
CA. The PCI cryptographic coprocessor will to be used to generate
the new key pair. The size of the new private key will be 1024 bits
(RACF® default size).
Perform the following steps to rekey a certificate issued by an
external certificate authority using a new private key.
- Initiate® the rekeying
by executing the following RACF command:
RACDCERT CERTAUTH REKEY(LABEL('Local PKI CA'))
WITHLABEL('Local PKI CA-2') PKDS
______________________________________________________________________
- Create a request for an external CA to sign the new public key
and reissue the certificate. Create the request for the new key and
store it in MVS™ data set 'SYSADM.CERT.REQ' by
executing the following command:
RACDCERT CERTAUTH GENREQ(LABEL('Local PKI CA-2')) DSN('SYSADM.CERT.REQ')
______________________________________________________________________
- Send the certificate request to the CA and receive the newly signed
and reissued certificate back from the CA into MVS data set 'SYSADM.CERT.B64'.
Restriction: The certificate request data contained in
the data set must be sent to, and received from, the external CA using
the process defined by the CA. Those steps are not included.
______________________________________________________________________
- Add the newly signed certificate into RACF and replace the self-signed rekeyed certificate
by executing the following command:
RACDCERT CERTAUTH ADD('SYSADM.CERT.B64')
______________________________________________________________________
- You are now ready to retire the original certificate and must
stop all use of the original private key. If you are rekeying the
PKI Services CA certificate, stop the PKI Services daemon.
At this
point, the original certificate and its private key exist in RACF with label 'Local
PKI CA'. The new certificate and its private key exist in
a separate entry in RACF with
label 'Local PKI CA-2'. You can proceed to rollover
the key.
______________________________________________________________________
- Finalize the rollover by entering the following command:
RACDCERT CERTAUTH ROLLOVER(LABEL('Local PKI CA'))
NEWLABEL('Local PKI CA-2')
______________________________________________________________________
- If you rekeyed the PKI Services CA certificate for the PKI templates,
restart the PKI Services daemon.
______________________________________________________________________
You have now rekeyed a certificate that was issued by an external
certificate authority, using a new private key. All information in
the certificate is updated to reflect the renewal, including the key
ring connection information. You have retired and replaced the old
certificate. You can now begin to use the new certificate and its
private key. You can continue to use the old certificate for signature
verification purposes until it expires. However, you cannot use the
old certificate to sign new certificates. Additionally, do not connect
the old certificate to any key rings, as the default certificate.