Valid on z/OS.
Use the ROLLOVER command function to specify the original certificate superseded by the new certificate. The ROLLOVER sub-command is the final step in the REKEY command, rollover process.
The ROLLOVER command function:
When the rollover is complete, the new certificate is used as if it were the original certificate. The original certificate is still available to verify signatures and decrypt data, but can no longer be used to sign or encrypt.
Specify a DIGICERT and NEWDIGIC names as part of all ROLLOVER functions since the keywords indicates the names used in the digital certificate ROLLOVER command.
Administrators must have:
This command function has the following format:
TSS ROllOVER {acid|CERTAUTH|CERTSITE|}
[DIGICERT(old—certificate—id)]
[NEWDIGIC(new—certificate—id)]
[Forcer]
Designates the user ACID associated with the certificate.
Designates the certificate as a certificate‑authority certificate.
Designates the certificate as a site certificate.
Specifies a case-sensitive character ID (original certificate) that identifies the certificate with the user ACID.
(Mandatory with ROLLOVER keyword.)
Range: 1 to 8 characters
Specifies a case-sensitive character ID that identifies the new certificate. (Mandatory with ROLLOVER keyword.)
Range: 1 to 8 characters
Specifies that CA Top Secret should bypass the following checks and perform the rollover unconditionally.
When the FORCER keyword is specified, the previous three checks are not performed.
Note: The ROLLOVER sub-command has a degenerative feature where the private key of the certificate is deleted if both DIGICERT and NEWDIGIC are the same and the FORCER keyword is also used.
Example: ROLLOVER function
This example completes the re-keying of the TEN certificate.
TSS ROLLOVER(CERTSITE) DIGICERT(NINE)
NEWDIGIC(TEN)
FORCER
| Copyright © 2009 CA. All rights reserved. | Email CA about this topic |