REKEY Subcommand

The REKEY subcommand is used to create a certificate from an existing certificate with a new public/private key pair.
acf2src
The REKEY subcommand is used to create a certificate from an existing certificate with a new public/private key pair. A public key pair is open to anyone in the system. A private key pair is stored on a user's device and is used to decrypt data. The REKEY subcommand is the first step of a rekey rollover process to retire the use of an existing private key. The rollover process specifies the old certificate that is to be superseded by the new certificate. The REKEY subcommand copies the subject's distinguished name, key usage, and subject alternate name from the existing certificate. The new certificate is self-signed and saved under the same logonid or CERTAUTH or SITECERT.
REKey{logonid|logonid.suffix|CERTAUTH| CERTAUTH.suffix|SITECERT|SITECERT.suffix} [Label(existing-certificate-label)] [WITHLbl(new-certificate-label)] [WITHSfx(new-certificate-suffix)] [SIZe({key-size})] [PCICC|ICSF|NISTECC|BPECC] [ACtive({date-or-date-time)] [Expire({date-or-date-time)] [PKDSLBL({PKDS label|*})]
Example: Create a certificate from an existing certificate
Create a certificate from an existing certificate:
REKEY
CERTAUTH
LABEL(Local CA) WITHLBL(
Local CA 2021
) SIZE(1024) EXPIRE(03/30/21) WITHSUFX (
LOCAL04
) EXPIRE(12/31/19)
In this example, CERTAUTH is the logonid that is associated with the certificate. Local Certificate Authority (CA) is the existing certificate label. Local CA 2021 (WITHLBL) is the new certificate label. SIZE indicates the size of the private key to be generated. EXPIRE indicates the date and time that the certificate expires.
  • logonid
    |logonid.suffix|CERTAUTH|SITECERT
    Specifies the logonid of the user who is associated with the certificate. It may be a one character to eight-character logonid, or a logonid, a dot, and a one- to eight-character suffix. If label is specified, specify logonid rather than logonid.suffix. Label indicates the logonid which the label is associated.
  • Label(
    label
    )
    Specifies a one- to 32-character label of the existing certificate. The label can contain blanks and mixed-case characters.
  • WITHLbl(
    label
    )
    Specifies a one- to 32-character label for the new certificate. The WITHLBL value can contain blanks and mixed-case characters. The label must be unique to the logonid associated with the new certificate. If WITHLBL is not specified, the label field of the new certificate defaults to the uppercase version of the logonid or logonid.suffix that was specified.
  • WITHSufx(record suffix)
    Specifies a one- to eight-character suffix of the new certificate. The new suffix can contain mixed-case characters, but it is folded to uppercase. The new suffix must be unique to the logonid with which the new certificate is associated. The suffix is appended to the record key with a dot (.) preceding the suffix. If a suffix is not specified, the suffix is in the format of AUTO
    nnn
    , where
    nnn
    is a number from 001 to 999.
  • SIZe({key-size})
    Specifies the size of the private key to be generated, in bits. If SIZE is not specified, the original certificate's key size is used. Valid key sizes for NISTECC are 192, 224, 256, 384, and 521 bits. Valid key sizes for BPECC keys are 160, 192, 224, 256, 320, 384, and 512 bits. The maximum key size depends on the private key type.
  • Expire({date-or-date-time})
    Indicates the date and time that the certificate expires, for example, MM/DD/YY. If no time is specified, it defaults to 000000. If no date is specified, it defaults to the active day and time plus one year. The specified year must be from 1950 to 2049.Valid date formats include: YY/MM/DD, MM/DD/YY, DD/MM/YY, and DD/MM/YYYY.