In this procedure, you are rekeying the certificate associated
with the user ID FTPSRV with label 'My FTP
Server Cert'. The certificate was issued by a CERTAUTH certificate
with label 'Local RACF CA' that was generated by RACF®.
Perform the following steps to rekey a certificate issued by a
local CA and replace the private key.
- Initiate® the rekeying
by executing the following RACF command:
RACDCERT ID(FTPSRV) REKEY(LABEL('My FTP Server Cert'))
WITHLABEL('My FTP Server Cert-2')
______________________________________________________________________
- Create a certificate request based on the new self-signed certificate
and store it in an MVS™ data set 'SYSADM.CERT.REQ' by
executing the following command:
RACDCERT ID(FTPSRV) GENREQ(LABEL('My FTP Server Cert-2'))
DSN('SYSADM.CERT.REQ')
______________________________________________________________________
- Sign the new certificate by executing the following command:
RACDCERT ID(FTPSRV) GENCERT('SYSADM.CERT.REQ')
SIGNWITH(CERTAUTH LABEL('Local RACF CA'))
______________________________________________________________________
- You are now ready to retire the original certificate and must
stop all use of the original private key.
At this point, the original
certificate and its private key exist in RACF with label 'My FTP Server Cert'.
The new certificate and its private key exist in a separate entry
in RACF with label 'My
FTP Server Cert-2'. You can now proceed to rollover the key.
______________________________________________________________________
- Finalize the rollover by executing the following command:
RACDCERT ID(FTPSRV) ROLLOVER(LABEL('My FTP Server Cert'))
NEWLABEL('My FTP Server Cert-2')
______________________________________________________________________
You have now renewed a certificate that was signed by a local
certificate authority and you renewed it using a new private key.
All information in the certificate is updated to reflect the renewal,
including the key ring connection information. You have retired and
replaced the old certificate. You can now begin to use the new certificate
and its private key. You can continue to use the old certificate for
signature verification purposes until it expires. However, you cannot
use the old certificate to sign new certificates. Additionally, do
not connect the old certificate to any key rings, as the default certificate.