Steps to retire and replace the PKI Services CA private key for the SAF templates: Scenario 1
The commands that are used in this procedure are examples that are based on the following scenario:
Assumptions:
- The certificate that you are rekeying is a CERTAUTH certificate with label 'taca'.
- It was issued by a local CA certificate that is labeled 'Local RACF CA' that was generated by RACF® and is being used by PKI Services for the SAF templates as a certificate authority (CA) certificate.
Perform the following procedure to rekey and replace the private
key.
- Initiate the
rekeying by executing the following RACF command:
RACDCERT CERTAUTH REKEY(LABEL('taca')) WITHLABEL('taca-2')
_______________________________________________________________
- Generate a certificate request that is based on the new self-signed
certificate and store it in MVS™ data
set 'SYSADM.CERT.REQ' by executing the following
command:
RACDCERT CERTAUTH GENREQ(LABEL('taca-2')) DSN('SYSADM.CERT.REQ')
_______________________________________________________________
- Issue the following command to sign the new certificate:
RACDCERT CERTAUTH GENCERT('SYSADM.CERT.REQ') SIGNWITH(CERTAUTH LABEL('Local RACF CA'))
At this point, the original certificate and its private key exist in RACF with the label 'taca'. The new certificate and its private key exist in a separate entry in RACF with the label 'taca-2'. You can proceed to roll over the key.
_______________________________________________________________
- Finalize the roll over by entering the following command:
RACDCERT CERTAUTH ROLLOVER(LABEL('taca')) NEWLABEL('taca-2')
_______________________________________________________________
- Change the certificate label that is used in the SIGNWITH field
in the SAF templates to the new label name.
_______________________________________________________________