/****************************************/
/*                                      */
/*        RENEW External CA Certs       */
/*                                      */
/****************************************/

/****************************************/
/*                 Links                */
/****************************************/

SAFCRRPT Certificate Utility Parameters: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/reporting/certificate-utility.html
Digital Certificate Best Practices: https://knowledge.broadcom.com/external/article?articleId=16065
TSS ADD to Renew an Expiring Certificate: https://knowledge.broadcom.com/external/article?articleId=106163 
Using TSS REPLACE instead of TSS ADD: https://knowledge.broadcom.com/external/article?articleId=25832


/****************************************/
/*              TOP SECRET              */
/****************************************/  

/*           SAMPLE COMMANDS            */
                                                    
TSS GENREQ(USER1) DIGICERT(OLDCERT) –
 DCDSN('USER1.CERT.UNSIGNED')

- Send to Certification Authority -

TSS CHKCERT DCDSN('USER1.CERT.RENEWED') 

TSS ADD(USER1) DIGICERT(NEWCERT) DCDSN('USER1.CERT.RENEWED') 

TSS EXPORT(USER1) DIGICERT(NEWCERT) -
 DCDSN('USER1.CERT.SAVED')FORMAT(PKCS7DER) 

TSS CHKCERT DCDSN('USER1.CERT.SAVED')
                          
TSS EXPORT(USER1) DIGICERT(OLDCERT) –
 FORMAT(PKCS12DER) PKCSPASS(password) –
 DCDSN(OLDCERT.DIGICERT.DATASET)

TSS REM(USER1) DIGICERT(OLDCERT)

TSS EXPORT(USER1) DIGICERT(NEWCERT) –
 FORMAT(PKCS12DER) PKCSPASS(password) – 
 DCDSN(NEWCERT.DIGICERT.DATASET)

TSS ADD(USER1) DIGICERT(OLDCERT) -
 FORMAT(PKCS12DER) PKCSPASS(password) -
 DCDSN(NEWCERT.DIGICERT.DATASET)

TSS ADD(USER1) KEYRING(TESTRING) RINGDATA(USER1,OLDCERT) – 
 USAGE(PERSONAL)
     

/*            SAMPLE OUTPUT             */ 

BEFORE:
                                          
NOT BEFORE = 2021/03/04  00:00:00 UTC                                       
NOT AFTER  = 2022/03/04  23:59:59 UTC                                                                  

AFTER:
                              
NOT BEFORE = 2021/03/11  00:00:00 UTC                                         
NOT AFTER  = 2030/12/30  23:59:59 UTC  

/*               NOTES                  */                                                                 
      
- You will need to perform a TSS EXPORT command for the certificate before issuing the TSS CHKCERT command. 
- You cannot ADD the new certificate with the same DIGICERT name. The implication of this is that the new signed certificate will need to be re-added to any keyrings that the original certificate was attached to and the old certificate will need to be removed from the keyrings. 
- It is also important that the ACID used for the TSS GENREQ and TSS ADD are the same. If the certificate is added under the wrong ACID, the private key will be lost. 
- The output from the TSS CHKCERT command will show you that the expiration date (labelled as NOT AFTER) has changed.