Retiring and replacing the PKI Services CA private key

For certificates that are associated with private keys, such as the PKI Services CA certificate, you should periodically retire the private keys and replace them with new ones. This process is commonly called certificate rekeying or key rollover. Do this to prevent private keys from being overused. (The more a key is used, the more susceptible it is to being broken and recovered by an unintended party.)

To rekey and roll over the PKI Services private key, use the REKEY and ROLLOVER operands of the RACF® RACDCERT command. The REKEY operand makes a self-signed copy of the original certificate with a new public-private key pair. The ROLLOVER operand finalizes the rekey operation by replacing the use of the original certificate with the new certificate in every key ring to which the original certificate is connected. It also destroys the original private key and copies over information about its serial number base so the new certificate can be used to sign new certificates.

A retired CA certificate cannot be used to sign new certificates. However, until it expires, it can be used to verify previously signed certificates. If you have an RA certificate for SCEP processing that was not replaced when the CA certificate that signed it was retired, you need to reconnect the CA certificate to the CA key ring.