Digital Certificates › General Rules › Change a Certificate's Trust Status

Change a Certificate's Trust Status

The status of the certificate is specified with the TRUST|NOTRUST|HITRUST keyword.

HITRUST

Specifies that the certificate is both highly trusted and trusted. Certificate usage applying to trusted certificates also applies to highly trusted certificates. Only CA certificates (CERTAUTH) can be highly trusted.

TRUST

Specifies that the certificate is valid for the user, site, or CA and the private key is not compromised. On a:

• USER certificate—TRUST indicates that the certificate can be used to authenticate an ACID.
• CERTSITE certificate—TRUST indicates that the certificate can be used without authenticating it.
• CERTAUTH certificate—TRUST indicates that the certificate can be used to authenticate other certificates.

NOTRUST

Indicates that the certificate is not trusted.

The trust status is set to the CA's trust status if the:

• Certificate’s signature can be verified
• Certificate has not expired
• Certificate’s validity dates fall within the range of the signing certificate

The default trust status for self-signed certificates is TRUST.

The trust status is set to NOTRUST if the certificate being added or generated:

• Has expired
• Has an invalid validity date range
• Cannot be verified

The trust status of the new certificate is set to TRUST if the trust status coming from the signing certificate is HITRUST.

To identify the digital certificate to update use:

• DIGICERT
• LABLCERT
• Both SERIALNUM and ISSUERDN

To change the status of a certificate, enter the command:

TSS REPLACE(acid|CERTAUTH|CERTSITE) [DIGICERT(name)]
                                [LABLCERT(label name)]
                                [SERIALNUM(serial number)]
                                [ISSUERDN(issuer's dist name)]
                                TRUST|NOTRUST|HITRUST

Example: replacing status

This example changes a certificates status:

TSS REPLACE(user1) DIGICERT(cert0001)
                   NOTRUST