The commands used in this procedure are examples based on the following
scenario:
Assumptions:- The certificate you are rekeying is a CERTAUTH certificate with
label 'taca'.
- It was issued by a local CA certificate labeled 'Local
RACF CA' that was generated by RACF® and
is being used by PKI Services for
the SAF templates as a certificate authority (CA) certificate.
Perform the following procedure to rekey and replace the private
key.
- Initiate the
rekeying by executing the following RACF command:
RACDCERT CERTAUTH REKEY(LABEL('taca')) WITHLABEL('taca-2')
_______________________________________________________________
- Generate a certificate request based on the new self-signed certificate
and store it in MVS™ data set 'SYSADM.CERT.REQ' by
executing the following command:
RACDCERT CERTAUTH GENREQ(LABEL('taca-2')) DSN('SYSADM.CERT.REQ')
_______________________________________________________________
- Issue the following command to sign the new
certificate:
RACDCERT CERTAUTH GENCERT('SYSADM.CERT.REQ')
SIGNWITH(CERTAUTH LABEL('Local RACF CA'))
At this
point, the original certificate and its private key exist in RACF with the label 'taca'.
The new certificate and its private key exist in a separate entry
in RACF with the label 'taca-2'.
You can proceed to rollover the key.
_______________________________________________________________
- Finalize the rollover by entering the following command:
RACDCERT CERTAUTH ROLLOVER(LABEL('taca')) NEWLABEL('taca-2')
_______________________________________________________________
- Change the certificate label used in the SIGNWITH field in the
SAF templates to the new label name.
_______________________________________________________________
When you are done: You
have retired and replaced the old certificate. All the information
for the original certificate is updated to reflect the new certificate,
including the key ring connections. You can now begin to use the new
certificate and its private key. You can continue to use the old certificate
for signature verification purposes until it expires. However, you
cannot use the old certificate to sign new certificates. Additionally,
do not connect the old certificate to any key rings as the default
certificate.