Steps to retire and replace the PKI Services CA private key for the PKI templates

The commands used in this procedure are examples based on the following scenario:

Assumptions:

The certificate you are rekeying is a CERTAUTH certificate with label 'Local PKI CA'. It was issued by a commercial CA and is being used by PKI Services for the PKI templates as a certificate authority (CA) certificate, making the PKI Services CA a subordinate CA.
The PCI cryptographic coprocessor will to be used to generate the new key-pair.
The size of the new private key will be 1024 bits (RACF® default size).

Perform the following procedure to rekey and replace the private key.

Initiate the rekeying by executing the following RACF command:
```
RACDCERT CERTAUTH REKEY(LABEL('Local PKI CA')) WITHLABEL('Local PKI CA-2') PCICC
```
_______________________________________________________________
Create a request for a commercial CA to sign the new public key and reissue the certificate. To create a certificate request for the new key and store it in MVS™ data set 'SYSADM.CERT.REQ', issue the following command:
```
RACDCERT CERTAUTH GENREQ(LABEL('Local PKI CA-2')) DSN('SYSADM.CERT.REQ')
```
Restriction: The certificate request data contained in the data set must be sent to, and received from, the commercial CA using the process defined by the CA. Those steps are not included.
_______________________________________________________________
Receive the newly signed and reissued certificate back from the commercial CA into MVS data set 'SYSADM.CERT.B64'.
_______________________________________________________________
Add the newly signed certificate into RACF and replace the self-signed rekeyed one by executing the following command:
```
RACDCERT CERTAUTH ADD('SYSADM.CERT.B64')
```
_______________________________________________________________
You are now ready to retire the original certificate and must stop all use of the original private key. Stop the PKI Services daemon.
Note: At this point, the original certificate and its private key exist in RACF with label 'Local PKI CA'. The new certificate and its private key exist in a separate entry in RACF with label 'Local PKI CA-2'. You can proceed to rollover the key.

_______________________________________________________________
Finalize the rollover by entering the following command:
```
RACDCERT CERTAUTH ROLLOVER(LABEL('Local PKI CA')) NEWLABEL('Local PKI CA-2')
```
_______________________________________________________________
If an RA certificate is in use that was signed by the retired CA certificate, connect the retired CA certificate to the key ring.
```
RACDCERT ID(daemon) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(ringname) USAGE(CERTAUTH))
```
Restart the PKI Services daemon.
_______________________________________________________________

When you are done: You have retired and replaced the old PKI Services CA certificate. All the information for the original certificate is updated to reflect the new certificate, including the key ring connections. You can now begin to use the new certificate and its private key. You can continue to use the old certificate for signature verification purposes until it expires. However, you cannot use the old certificate to sign new certificates. Additionally, do not connect the old certificate to any key rings as the default certificate.