The commands used in this procedure are examples based on the following
scenario:
Assumptions:- The certificate you are rekeying is a CERTAUTH certificate with
label 'Local PKI CA'. It was issued by a commercial
CA and is being used by PKI Services for the
PKI templates as a certificate authority (CA) certificate, making
the PKI Services CA
a subordinate CA.
- The PCI cryptographic coprocessor will to be used to generate
the new key-pair.
- The size of the new private key will be 1024 bits (RACF® default size).
Perform the following procedure to rekey and replace the private
key.
- Initiate the
rekeying by executing the following RACF command:
RACDCERT CERTAUTH REKEY(LABEL('Local PKI CA')) WITHLABEL('Local PKI CA-2') PCICC
_______________________________________________________________
- Create a request for a commercial CA to sign the new public key
and reissue the certificate. To create a certificate request for the
new key and store it in MVS™ data
set 'SYSADM.CERT.REQ', issue the
following command:
RACDCERT CERTAUTH GENREQ(LABEL('Local PKI CA-2')) DSN('SYSADM.CERT.REQ')
Restriction: The
certificate request data contained in the data set must be sent to,
and received from, the commercial CA using the process defined by
the CA. Those steps are not included._______________________________________________________________
- Receive the newly signed and reissued certificate back from the
commercial CA into MVS data set 'SYSADM.CERT.B64'.
_______________________________________________________________
- Add the newly signed certificate into RACF and replace the self-signed rekeyed one
by executing the following command:
RACDCERT CERTAUTH ADD('SYSADM.CERT.B64')
_______________________________________________________________
- You are now ready to retire the original certificate and must
stop all use of the original private key. Stop the PKI Services daemon.
Note: At
this point, the original certificate and its private key exist in RACF with label 'Local
PKI CA'. The new certificate and its private key exist in
a separate entry in RACF with
label 'Local PKI CA-2'. You can proceed to rollover
the key.
_______________________________________________________________
- Finalize the rollover by entering the following command:
RACDCERT CERTAUTH ROLLOVER(LABEL('Local PKI CA')) NEWLABEL('Local PKI CA-2')
_______________________________________________________________
- If an RA certificate is in use that was signed by the retired
CA certificate, connect the retired CA certificate to the key ring.
RACDCERT ID(daemon) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(ringname) USAGE(CERTAUTH))
- Restart the PKI Services daemon.
_______________________________________________________________
When you are done: You
have retired and replaced the old
PKI Services CA certificate.
All the information for the original certificate is updated to reflect
the new certificate, including the key ring connections. You can now
begin to use the new certificate and its private key. You can continue
to use the old certificate for signature verification purposes until
it expires. However, you cannot use the old certificate to sign new
certificates. Additionally, do not connect the old certificate to
any key rings as the default certificate.