z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for setting up automatic certificate renewal

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to set up automatic certificate renewal.

Before you begin

You need to decide for which certificate templates you want to set up automatic certificate renewal. For a description of the templates provided by PKI Services, see Supported certificate types.

Procedure

  1. In the CertPolicy section of the pkiserv.config configuration file, set the field ExpireWarningTime to specify how soon (in days or weeks) before a certificate expires to renew it and send the renewed certificate to its owner. For example, to automatically renew certificates two weeks before they expire: 
    ExpireWarningTime=2w

    _______________________________________________________________

  2. Set up the renewed certificate e-mail notification form.
    1. Copy the sample renewed certificate notification form, renewcertmsg.form, from the samples directory to the runtime directory. For more information, see Steps for copying files.
    2. Customize the renewed certificate notification form with your company's information. For more information, see Customizing e-mail notifications sent to users.
    3. In the General section of the pkiserv.config configuration file, set the field RenewCertForm to indicate the file that contains the renewed certificate notification form. For example: 
      RenewCertForm=/etc/pkiserv/renewcertmsg.form

    _______________________________________________________________

  3. If you are implementing the Web application using REX CGI execs, in each template for which you want certificates to be automatically renewed, insert the AUTORENEW tag immediately following the NICKNAME tag, if it is not already there, and set it to Y. For example: 
    <TEMPLATE NAME=1-Year PKI SSL Browser Certificate>
<TEMPLATE NAME=PKI Browser Certificate>
<NICKNAME=1YBSSL>
<AUTORENEW=Y>
    If you are implementing the Web application using Java™ server pages (JSPs), for each certificate request template for which you want certificates to be automatically renewed, include the tag <tns:AutoRenew>Y</tns:AutoRenew>. For example:
    <tns:certreq_template>
<tns:certname>1-Year SAF Browser Certificate</tns:certname>
<tns:certtype>SAF Browser Certificate</tns:certtype>
<tns:AutoRenew>Y</tns:AutoRenew>
⋮

    _______________________________________________________________

  4. For each certificate type that you want to be automatically renewed, except the PKI generated key certificate, make NotifyEmail a required field.
    To do this if you are implementing the Web application using REX CGI execs,, in each template for which you want certificates to be automatically renewed (except the PKI generated key certificate), remove the string (optional) following the NotifyEmail tag, if it is specified. For example, change
     %%NotifyEmail (optional)%%
    to 
     %%NotifyEmail%%
    If you are implementing the Web application using Java server pages (JSPs), for each certificate request template for which you want certificates to be automatically renewed (except the PKI generated key certificate), remove the string optional="true" following the NotifyEmail tag, if it is specified. For example, change:
    <tns:NotifyEmail optional="true" />
    to 
    <tns:NotifyEmail />
    Note: For a PKI generated key certificate, the requestor name is an e-mail address and overrides the NotifyEmail value if specified.

    _______________________________________________________________

Results

When you are done, you have set up automatic certificate renewal.

Parent topic: Setting up automatic renewal of certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014