The commands used in this procedure are examples based on the following
scenario:
Assumptions:- The certificate you are rekeying is a CERTAUTH certificate with
label 'taca'.
- It was a self-signed certificate in RACF® and
is being used by PKI Services for
the SAF templates as a certificate authority (CA) certificate.
Perform the following procedure to rekey and replace the private
key.
- Initiate the
rekeying by executing the following RACF command:
RACDCERT CERTAUTH REKEY(LABEL('taca'))
WITHLABEL('taca-2')
At this point, the original certificate
and its private key exist in RACF with
the label 'taca'. The new certificate and its private
key exist in a separate entry in RACF with
the label 'taca-2'. You can proceed to rollover the
key.
_______________________________________________________________
- Finalize the rollover by entering the following command:
RACDCERT CERTAUTH ROLLOVER(LABEL('taca')) NEWLABEL('taca-2')
_______________________________________________________________
- Change the certificate label used in the SIGNWITH field in the
SAF templates to the new label name.
_______________________________________________________________
When you are done: You
have retired and replaced the old certificate. All the information
for the original certificate is updated to reflect the new certificate,
including the key ring connections. You can now begin to use the new
certificate and its private key. You can continue to use the old certificate
for signature verification purposes until it expires. However, you
cannot use the old certificate to sign new certificates. Additionally,
do not connect the old certificate to any key rings as the default
certificate.