Steps to retire and replace the PKI Services CA private key for the SAF templates: Scenario 1

The commands used in this procedure are examples based on the following scenario:

Assumptions:

The certificate you are rekeying is a CERTAUTH certificate with label 'taca'.
It was issued by a local CA certificate labeled 'Local RACF CA' that was generated by RACF® and is being used by PKI Services for the SAF templates as a certificate authority (CA) certificate.

Perform the following procedure to rekey and replace the private key.

Initiate the rekeying by executing the following RACF command:
```
RACDCERT CERTAUTH REKEY(LABEL('taca')) WITHLABEL('taca-2')
```
_______________________________________________________________
Generate a certificate request based on the new self-signed certificate and store it in MVS™ data set 'SYSADM.CERT.REQ' by executing the following command:
```
RACDCERT CERTAUTH GENREQ(LABEL('taca-2')) DSN('SYSADM.CERT.REQ')
```
_______________________________________________________________
Issue the following command to sign the new certificate:
```
RACDCERT CERTAUTH GENCERT('SYSADM.CERT.REQ') 
   SIGNWITH(CERTAUTH LABEL('Local RACF CA'))
```
At this point, the original certificate and its private key exist in RACF with the label 'taca'. The new certificate and its private key exist in a separate entry in RACF with the label 'taca-2'. You can proceed to rollover the key.

_______________________________________________________________
Finalize the rollover by entering the following command:
```
RACDCERT CERTAUTH ROLLOVER(LABEL('taca')) NEWLABEL('taca-2')
```
_______________________________________________________________
Change the certificate label used in the SIGNWITH field in the SAF templates to the new label name.
_______________________________________________________________

When you are done: You have retired and replaced the old certificate. All the information for the original certificate is updated to reflect the new certificate, including the key ring connections. You can now begin to use the new certificate and its private key. You can continue to use the old certificate for signature verification purposes until it expires. However, you cannot use the old certificate to sign new certificates. Additionally, do not connect the old certificate to any key rings as the default certificate.