My certificate has expired – how do I renew it ?

certificate, RACF 2 Minutes

Once you know this is an easy question.

//IBMRACF  JOB 1,MSGCLASS=H 
//S1  EXEC PGM=IKJEFT01,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
RACDCERT ID(START1) GENREQ(LABEL('NEWTECCTEST'))  - 
   DSN('COLIN.CERT.REQ') 

RACDCERT ID(START1) GENCERT('COLIN.CERT.REQ') - 
   NOTAFTER(   DATE(2027-12-21)) - 
     SIGNWITH (CERTAUTH LABEL('DOCZOSCA')) 
RACDCERT LIST            (LABEL('NEWTECCTEST')) ID(START1) 
//

The first command takes my existing (expired) certificate belonging to userid START1 and creates a certificate request in the data set. The request looks like

-----BEGIN NEW CERTIFICATE REQUEST-----                               
MIIBgjCCAQcCAQAwNzEUMBIGA1UEChMLTkVXVEVDQ1RFU1QxDDAKBgNVBAsTA1NT      
...     
qZgQtwIwbYYgRWDQcPOZ92sVszf5Bv+mslcDjNAuM5Sj4Z9uadnKsaTmiy6h16tr      
TpPAW84d                                                              
-----END NEW CERTIFICATE REQUEST-----

The Gencert command renews it with the specified date. If you omit the date it defaults to a year from the start date.

With most of my gencert requests, I have specified information like

RACDCERT ID(COLIN) GENCERT -                                
  SUBJECTSDN(CN('10.1.1.2') - 
             O('NISTEC256') - 
             OU('SSS')) - 
   ALTNAME(IP(10.1.1.2))-                                   
   NISTECC - 
   KEYUSAGE(   HANDSHAKE     )  - 
   SIZE(256 ) - 
   SIGNWITH (CERTAUTH LABEL('DOCZOSCA')) -                  
   WITHLABEL('NISTEC256')       -

Because I passed a data set it, the information was taken from the dataset. I think it ignores SUBJECTDSN etc data if a data set is used.

When I specified a 2028 date I got message

IRRD113I The certificate that you are creating has an incorrect date range.  The certificate is added with NOTRUST status.

The IRRD113I message says

“has an incorrect date range”, the date range of the certificate being added is not within the date range established by the CA (certificate authority) certificate.

This is a hint that I need to renew my CA certificate as it will expire in the next two years.

After the gencert command was successful, the list command gave

Digital certificate information for user START1:                    
                                                                    
  Label: NEWTECCTEST                                                
  Certificate ID: 2Qbi48HZ4/HVxebjxcPD48Xi40BA                      
  Status: NOTRUST                                                   
  Start Date: 2026/02/25 00:00:00                                   
  End Date:   2027/12/21 23:59:59                                   
  Serial Number:                                                    
       >5B<                                                         
  Issuer's Name:                                                    
       >CN=DocZosCA.OU=CA.O=COLIN<                                  
  Subject's Name:                                                   
       >CN=10.1.1.2.OU=SSS.O=NEWTECCTEST<                           
  Subject's AltNames:                                               
    IP: 10.1.1.2                                                    
  Signing Algorithm: sha256RSA                                      
  Key Usage: HANDSHAKE                                              
  Key Type: NIST ECC                                                
  Key Size: 384                                                     
  Private Key: YES  
...

Once I had renewed it, I had to restart the servers using it so they picked up the updated certificate.

Unknown's avatar

Published by Colin Paice

Published

Leave a comment