Valid on z/OS.
Use the REKEY command function to create a new certificate from an existing certificate with a new public/private key pair. The REKEY command is the first step of a rekey-rollover process to retire the use of an existing private key.
The REKEY command copies the subject's distinguished name, key usage and subject alternate name from the existing certificate. The new certificate is self-signed and saved under the same logonid or CERTAUTH or CERTSITE.
If the new certificate needs to be signed by a third party CA or CA Top Secret, issue a TSS GENREQ command to copy the new certificate to a dataset then FTP the new certificate to the third party CA or input to the TSS GENCERT so it may be signed with CA Top Secret. Do this prior to the TSS ROLLOVER command.
Specify a DIGICERT name as part of all REKEY functions since the DIGICERT keyword indicates the name used in the digital certificate.
Administrators must have ACID(MAINTAIN) for users within their scope, and MISC4(CERTGEN). Also, MISC4(CERTSITE) for CERTSITE ACID and MISC4(CERTAUTH) for CERTAUTH ACID. This command function has the following format:
TSS REKEY {acid|CERTAUTH|CERTSITE}
[DIGICERT(existing—certificate—id)]
[NEWDIGIC(new—certificate—id)]
[NEWLABLC(new—certificate—label)]
[KEYSIZE(512|768|1024|2048)]
[ICSF|PCICC]
[NBDATE({not—before—date)] NBTIME(not—before—time)
[NADATE(not—after=date|) NADATE(not—after—date)
(Mandatory) Specifies a case sensitive character ID that identifies existing certificate.
Range: 1 to 8 characters
(Mandatory) Specifies a case sensitive character ID of the new certificate.
(Optional) Specifies the new certificate's a character label. The label can contain blanks and mixed case characters. The new label must be unique to the logonid with which the new certificate is associated. If a label is not specified, the label field defaults to the upper case version of the ACID.
Note: For every one apostrophe desired in the Label value, two consecutive apostrophes must be specified. For example, the Label value, Frank's Certificate, should be specified as, Frank"s Certificate. If a single apostrophe is specified in the Label value, the value is considered invalid.
Range: 1 to 32 characters
Specifies the size of the private encryption key in decimal bits.
Valid Options: 512, 768, and 1024, and 2048
Default: 1024
(Optional) Indicates that the generated private key is placed in ICSF. If the DSN parameter was also specified and an existing certificate is replaced, the certificate will also be placed in ICSF. ICSF must be active and configured for PKA operations. If it is not an error message is displayed when attempting to insert or use the private key.
(Optional) Specifies that the key pair should be generated using the PCI Cryptographic Coprocessor and that the private key should be stored in ICSF. When PCICC is not specified, the key pair is generated using software. PCICC cannot be used with the DSN parameter or with the ICSF parameter. If a PCI cryptographic coprocessor is not present or operational, or if ICSF is not active or configured for PKA operations, an error message is displayed and processing will terminate.
If neither ICSF nor PCICC is specified, the key pair is generated using software and stored in the CA Top Secret database.
Indicates the date and time that the certificate becomes active. If an expire date is not also specified, the active year specified must be before 2048, since the expire date defaults to the active day and time plus one year.
Range: 1950 to 2049
Time Default: 000000
Date Default: Current day and time
(Optional) Indicates the date and time that the certificate expires.
Range: 1950 to 2049
Time Default: 000000
Date Default: The active day and time plus 1 year
| Copyright © 2009 CA. All rights reserved. | Email CA about this topic |