Digital Certificates › General Rules › Replace an Expired Certificate

Replace an Expired Certificate

Use the REKEY and ROLLOVER commands to replace an expired certificate.

The REKEY command:

• Creates a new certificate from an existing certificate with a new public/private key pair
• Copies the subject's distinguished name, key usage and subject alternate name from the existing certificate

The ROLLOVER command:

• Specifies the original certificate to be superceded by the new certificate
• Deletes the private key of the original certificate so that it can no longer be used to sign or encrypt
• Replaces the original certificate with the new certificate in every key ring the old certificate is connected to
• Copies the serial number base from the original certificate to the new certificate

The new certificate:

• Is self-signed
• Is saved under the same logonid or CERTAUTH or CERTSITE
• Is used as if it were the original certificate

The original certificate can still verify signatures and decrypt data, but cannot sign or encrypt.

Example: replacing an expired certificate

In this example, the ACID 'CERTSITE' is the owner of certificate JOECERT1.

DIGICERT(JOECERT1) with a LABLCERT(JOECERT1) has been given to 1000 keyrings. Now, JOECERT1 has expired and needs to be replaced with a new Digital Certificate.

1. Enter the command:

   TSS REKEY(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT2)  
   

   A new certificate called JOECERT2 based on the expired certificate JOECERT1 is created.

2. Enter the command:

   TSS GENREQ(CERTSITE) DIGICERT(JOECERT2) DCDSN(JOECERT2.CERT.UNSIGNED)   
   

   JOECERT2 is copied to a data set.

3. FTP the certificate to be signed by the third-party Certificate Authority.
4. Enter the command:

   TSS REP(CERTSITE) DIGI(JOECERT1) LABLCERT('JOECERT1 OLD') 
   

   The LABLCERT of JOECERT1 is renamed.

5. Enter the command:

   TSS ADD(CERTSITE) DIGICERT(JOECERT3)
                     DCDSN(JOECERT2.CERT.SIGNED)
                     TRUST LABLCERT('JOECERT1')  
   

   The signed certificate is added to CA Top Secret under a new DIGICERT name called JOECERT3 and a LABLCERT of JOECERT1.

6. Enter the command:

   TSS ROLLOVER(CERTSITE) DIGICERT(JOECERT1) NEWDIGIC(JOECERT3)
   

   The new JOECERT3 certificate is propagated to the 1000 keyrings.