z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for rekeying a certificate issued by a local CA

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

In this procedure, you are rekeying the certificate associated with the user ID FTPSRV with label 'My FTP Server Cert'. The certificate was issued by a CERTAUTH certificate with label 'Local RACF CA' that was generated by RACF®.

Perform the following steps to rekey a certificate issued by a local CA and replace the private key.
  1. Initiate® the rekeying by executing the following RACF command: 
    RACDCERT ID(FTPSRV) REKEY(LABEL('My FTP Server Cert')) 
   WITHLABEL('My FTP Server Cert-2')

    ______________________________________________________________________

  2. Create a certificate request based on the new self-signed certificate and store it in an MVS™ data set 'SYSADM.CERT.REQ' by executing the following command:
    RACDCERT ID(FTPSRV) GENREQ(LABEL('My FTP Server Cert-2')) 
   DSN('SYSADM.CERT.REQ')

    ______________________________________________________________________

  3. Sign the new certificate by executing the following command:
     RACDCERT ID(FTPSRV) GENCERT('SYSADM.CERT.REQ') 
   SIGNWITH(CERTAUTH LABEL('Local RACF CA'))

    ______________________________________________________________________

  4. You are now ready to retire the original certificate and must stop all use of the original private key.

    At this point, the original certificate and its private key exist in RACF with label 'My FTP Server Cert'. The new certificate and its private key exist in a separate entry in RACF with label 'My FTP Server Cert-2'. You can now proceed to rollover the key.

    ______________________________________________________________________

  5. Finalize the rollover by executing the following command:
    RACDCERT ID(FTPSRV) ROLLOVER(LABEL('My FTP Server Cert')) 
   NEWLABEL('My FTP Server Cert-2')

    ______________________________________________________________________

You have now renewed a certificate that was signed by a local certificate authority and you renewed it using a new private key. All information in the certificate is updated to reflect the renewal, including the key ring connection information. You have retired and replaced the old certificate. You can now begin to use the new certificate and its private key. You can continue to use the old certificate for signature verification purposes until it expires. However, you cannot use the old certificate to sign new certificates. Additionally, do not connect the old certificate to any key rings, as the default certificate.
Parent topic: Renewing (rekeying) a certificate with a new private key

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014