REKEY Function—Create Certificate from Existing Certificate

Command Functions › REKEY Function—Create Certificate from Existing Certificate

REKEY Function—Create Certificate from Existing Certificate

Valid on z/OS.

Use the REKEY command function to create a new certificate from an existing certificate with a new public/private key pair. The REKEY command is the first step of a rekey-rollover process to retire the use of an existing private key.

The REKEY command copies the subject's distinguished name, key usage and subject alternate name from the existing certificate. The new certificate is self-signed and saved under the same logonid or CERTAUTH or CERTSITE.

If the new certificate needs to be signed by a third party CA or CA Top Secret, issue a TSS GENREQ command to copy the new certificate to a dataset then FTP the new certificate to the third party CA or input to the TSS GENCERT so it may be signed with CA Top Secret. Do this prior to the TSS ROLLOVER command.

Specify a DIGICERT name as part of all REKEY functions since the DIGICERT keyword indicates the name used in the digital certificate.

Administrators must have:

ACID(MAINTAIN) and MISC4(CERTGEN) for users within their scope
MISC4(CERTSITE) for CERTSITE ACID
MISC4(CERTAUTH) for CERTAUTH ACID
Administrators without the above authorities can issue the REKEY command if they have:
- UPDATE access to TSSCMD.CERTUSER.REKEY in the CASECAUT resource class when the certificate is associated with a user ACID
- UPDATE access to TSSCMD.CERTSITE.REKEY in the CASECAUT resource class when referencinging a site certificate
- UPDATE access to TSSCMD.CERTAUTH.REKEY in the CASECAUT resource class when referencinging a certificate-authority certificate

This command function has the following format:

TSS REKEY {acid|CERTAUTH|CERTSITE}
          [DIGICERT(existing—certificate—id)]
          [NEWDIGIC(new—certificate—id)]
          [NEWLABLC(new—certificate—label)]
          [KEYSIZE(nnnn)]
          [ICSF|PCICC|NISTECC|BPECC]
          [NBDATE({not—before—date} NBTIME(not—before—time)]
          [NADATE(not—after=date|) NATIME(not—after—time)]
          [LABLPKDS]

DIGICERT(id)

(Mandatory) Specifies a case sensitive character ID that identifies existing certificate.

Range: 1 to 8 characters

NEWDIGIC(id)

(Mandatory) Specifies a case sensitive character ID of the new certificate.

NEWLABLC(label)

(Optional) Specifies the new certificate's a character label. The label can contain blanks and mixed case characters. The new label must be unique to the logonid with which the new certificate is associated. If a label is not specified, the label field defaults to the upper case version of the ACID.

Note: For every one apostrophe desired in the Label value, two consecutive apostrophes must be specified. For example, the Label value, Frank's Certificate, should be specified as, Frank”s Certificate. If a single apostrophe is specified in the Label value, the value is considered invalid.

Range: 1 to 32 characters

KEYSIZE

Specifies the size of the private encryption key in decimal bits.
Limits:
- Non-NISTECC and non-BPECC: any numeric value from 512 to 4096.
- For NISTECC, one of the following: 192, 224, 256, 384, 521.
- For BPECC, one of the following: 160, 192, 224, 256, 320, 384, 512.
Default:
- Non-NISTECC and non-BPECC:1024.
- NISTECC and BPECC: 192.

The maximum key size is dependent on the private key type.

Private key type maximum key sizes are:

BPECC key—512 bits
NISTECC key—521 bits
ICSF RSA key—1024 bits
DSA key —2048 bits
Non-ICSF RSA key—4096 bits
PCI-class cryptographic coprocessor RSA key—4096 bits

Shorter ECC keys have key strengths comparable to longer RSA keys. The following table displays the comparable strength of each key type:

RSA Key Size (in bits)	NISTECC Key Size (in bits)	BPECC Key Size (in bits)
1024	192	160 or 192
2048	224	224
3072	256	256 or 320
7680	384	384
15360	521	512

Currently, the standard key sizes for RSA keys are as follows:

512—Specifies a low-strength key
1024—Specifies a medium-strength key
2048—Specifies a high-strength key
4096—Specifies a very high-strength key

ICSF: (Optional) Indicates that the generated private key is placed in ICSF. If ICSF, PCICC, or LABLPKDS is not specified with ADD, the key is stored in the security file as a non-ICSF key. If the DSN parameter was also specified and an existing certificate is replaced, the existing certificate is also placed in ICSF. If ICSF is not active and configured for PKA operations, an error message is displayed when attempting to insert or use the private key.
PCICC: (Optional) Specifies that the key pair should be generated using the PCI Cryptographic Coprocessor and that the private key should be stored in ICSF. When PCICC is not specified, the key pair is generated using software. PCICC cannot be used with the DSA, DSN, or ICSF parameters. If a PCI cryptographic coprocessor is not present or operational, or if ICSF is not active or configured for PKA operations, an error message is displayed and processing will terminate.
NISTECC: (Optional) Specifies the key pair should be generated using National Institute of Standards and Technology (NIST) algorithm instead of the RSA algorithm. This parameter cannot be used with the ICSF, DSA, or BPECC parameters.
BPECC: (Optional) Specifies to generate the key pair using the brainpool ECC algorithm instead of the RSA algorithm. This parameter cannot be used with the ICSF, DSA, or NISTECC parameters.

Notes:

If you do not specify ICSF, PCICC, NISTECC, or BPECC, the key pair is generated using software and stored in the CA Top Secret database.
REKEY processing prevents the downgrade from an ICSF/PCICC private key to a private key stored in the security product database.
If you do not specify ICSF, PCICC, NISTECC, or BPECC, REKEY will use what was used on the original certificate.
REKEYing from a NISTECC or BPECC certificate to a non-ECC certificate (and conversely) is not allowed.
You do not need to specify anything to go from NISTECC to NISTECC or from BPECC to BPECC.
Specify NISTECC to go from BPECC to NISTECC (and conversely).

NBDATE/NBTIME Format(mm/dd/yy) Time(hh:mm:ss)

Indicates the date and time that the certificate becomes active. If no expire date is specified, the active year specified must be before 2048, because the expire date defaults to the active day and time plus one year.

Range: 1950 to 2049

Time Default: 000000

Date Default: Current day and time

NADATE/NATIME Format(mm/dd/yy) Time(hh:mm:ss)

(Optional) Indicates the date and time that the certificate expires.

Range: 1950 to 2049

Time Default: 000000

Date Default: The active day and time plus one year.

LABLPKDS

(Optional) Specifies the PKDS label of the record created in the ICSF Public Key Data Set (PKDS). This field is used with the ICSF, PCICC, NISTECC, and BPECC keywords. If LABLPKDS is specified without ICSF or PCICC, the key will be generated by the hardware and saved in CRT format in the ICSF PKDS. If NISTECC or BPECC is specified, the key will be an ECC key. Otherwise, the key that is generated will be an RSA key.

Specify a value of (*) to take the value from the LABLCERT keyword. In this case, LABLCERT must be specified along side LABLPKDS(*). If LABLPKDS(*) is specified without the LABLCERT keyword, an error message is displayed.

The PKDS label must conform to ICSF label syntax rules. The first character must be alphabetic or national.

Valid characters: Alphanumeric, national (@,#,$) or period(.).

Range: Up to 64 characters

Example: REKEY function

This example creates the new certificate Locca4 for the existing certificate CERTAUTH.

TSS REKEY(CERTAUTH) DIGICERT(Locca4)
                    NEWDIGIC(locca5)
                    NADATE(12/31/08)