Steps for renewing your PKI Services CA certificate

Before you begin

The commands in the steps that follow include several variables. The following table describes these variables. Determine the values for these variables and record the information in the blank boxes:
Table 1. Information you need for renewing your PKI Services certificate authority certificate
Information needed Where to find this information Record your value here
cacert_dsn - The data set name of your renewed CA certificate as exported from RACF®. (This data set is needed for recovery.)    
ca_label - The label of your CA certificate in RACF See Table 1.  
temp_dsn - The temporary data set to contain your new certificate request and returned certificate. You decide this based on local data set naming conventions.  

Procedure

Perform the following steps to renew your PKI Services CA certificate:
  1. Create a new certificate request from your current CA certificate by entering the following RACF command from a TSO command prompt: 
    RACDCERT CERTAUTH GENREQ(LABEL('ca_label')) DSN(temp_dsn)
  2. If your PKI Services certificate authority is a root CA (that is, it has a self-signed certificate, which is the default), generate the self-signed renewal certificate by entering the following RACF command from a TSO command prompt. The ca_expires variable indicates the new expiration date.
    RACDCERT CERTAUTH GENCERT(temp_dsn) NOTAFTER(DATE(ca_expires)) 
  SIGNWITH(CERTAUTH LABEL('ca_label'))
  3. Alternately, if your PKI Services certificate authority is an intermediate certificate authority, perform the following steps:
    1. Send the certificate request to the higher (external) CA, following the procedures that the higher authority requires. If your CA retains the original certificate signing requests (CSR), you might not need to create and store a new request based on the expiring certificate. You might be able to request a renewal using the original CSR.
    2. After the certificate has been issued, receive the certificate back into the certificate data set (temp_dsn).
      Note: The procedure for doing this can vary greatly depending on how the higher certificate authority delivers the new certificate:
      • If the certificate is delivered as base64 encoded text, the easiest way to deposit the certificate into the data set is to edit the certificate data set:
        1. Delete all existing lines in temp_dsn.
        2. Copy the base64 encoded text.
        3. Paste the copied text into the ISPF edit window.
        4. Save.
      • If the certificate is delivered as binary data (also called DER encoded), the easiest way to deposit the certificate into the data set is to use binary FTP.
    3. Add the renewed certificate back into the RACF database by entering the following RACF command from a TSO command prompt: 
      RACDCERT CERTAUTH ADD(temp_dsn)

      Do not specify a label on this command.

  4. Export the certificate in DER format to the CA certificate data set by entering the following RACF command from a TSO command prompt: 
    RACDCERT CERTAUTH EXPORT(LABEL('ca_label')) DSN(cacert_dsn) FORMAT(CERTDER)
    Save this data set for recovery if needed later.
  5. If your PKI Services certificate authority is a root CA, and it is also the web server's root certificate, the renewed root needs to be accessible to the clients. To make your new certificate available to your clients, set up the /var/pkiserv directory by performing Step 2 through Step 4 in Steps for setting up the var directory.
  6. Stop and restart PKI Services.
Parent topic: Renewing your PKI Services CA and RA certificates