Steps for renewing your PKI Services CA certificate
Before you begin
The commands in the steps
that follow include several variables. The following table describes
these variables. Determine the values for these variables and record
the information in the blank boxes:
Information needed | Where to find this information | Record your value here |
---|---|---|
cacert_dsn - The data set name of your renewed CA certificate as exported from RACF®. (This data set is needed for recovery.) | ||
ca_label - The label of your CA certificate in RACF | See Table 1. | |
temp_dsn - The temporary data set to contain your new certificate request and returned certificate. | You decide this based on local data set naming conventions. |
Procedure
Perform the following steps to
renew your PKI Services CA
certificate:
- Create a new certificate request from your current
CA certificate by entering the following RACF command from a TSO command prompt:
RACDCERT CERTAUTH GENREQ(LABEL('ca_label')) DSN(temp_dsn)
- If your PKI Services certificate
authority is a root CA (that is, it has a self-signed certificate,
which is the default), generate the self-signed renewal certificate
by entering the following RACF command
from a TSO command prompt. The ca_expires variable
indicates the new expiration date.
RACDCERT CERTAUTH GENCERT(temp_dsn) NOTAFTER(DATE(ca_expires)) SIGNWITH(CERTAUTH LABEL('ca_label'))
- Alternately, if your PKI Services certificate
authority is an intermediate certificate authority, perform the following
steps:
- Send the certificate request to the higher (external) CA, following the procedures that the higher authority requires. If your CA retains the original certificate signing requests (CSR), you might not need to create and store a new request based on the expiring certificate. You might be able to request a renewal using the original CSR.
- After the certificate has been issued, receive the certificate
back into the certificate data set (temp_dsn). Note: The procedure for doing this can vary greatly depending on how the higher certificate authority delivers the new certificate:
- If the certificate is delivered as base64 encoded text, the easiest
way to deposit the certificate into the data set is to edit the certificate
data set:
- Delete all existing lines in temp_dsn.
- Copy the base64 encoded text.
- Paste the copied text into the ISPF edit window.
- Save.
- If the certificate is delivered as binary data (also called DER encoded), the easiest way to deposit the certificate into the data set is to use binary FTP.
- If the certificate is delivered as base64 encoded text, the easiest
way to deposit the certificate into the data set is to edit the certificate
data set:
- Add the renewed certificate back into the RACF database by entering the following RACF command from a TSO command prompt:
RACDCERT CERTAUTH ADD(temp_dsn)
Do not specify a label on this command.
- Export the certificate in DER format to the CA certificate data
set by entering the following RACF command
from a TSO command prompt:
Save this data set for recovery if needed later.RACDCERT CERTAUTH EXPORT(LABEL('ca_label')) DSN(cacert_dsn) FORMAT(CERTDER)
- If your PKI Services certificate authority is a root CA, and it is also the web server's root certificate, the renewed root needs to be accessible to the clients. To make your new certificate available to your clients, set up the /var/pkiserv directory by performing Step 2 through Step 4 in Steps for setting up the var directory.
- Stop and restart PKI Services.