RENEW Subcommand

The RENEW subcommand lets you alter the validity period of the certificate.
acf2src
The RENEW subcommand lets you alter the validity period of the certificate. If you have a certificate expiring and you want to continue to use the certificate for a longer time frame, use RENEW. RENEW can also be used to alter the attributes of the certificate at the time of renewal. You can alter the certificate’s distinguished name or can add and remove an ALTNAME value.
The certificate must exist in the
ACF2
database and must have a private key. The private key of certificate signing the renewed certificate must also be in the
ACF2
database. If SIGNWITH is not specified, the RENEW subcommand finds the original signing certificate. If the original signing certificate has a private key, the renewed certificate is signed with the original signing certificate. For more information, see Process Digital Certificates with
ACF2
.
RENEW {logonid|logonid.suffix|CERTAUTH|CERTAUTH.suffix|SITECERT| SITECERT.suffix } [Label(label)] [SUbjsdn([CN=common-name] [T=title] [OU=organizational-unit-name] [O=organization-name] [L=locality] [{S=state-or-province | SP=state-or-province | ST=state-or-province}] [C=country])] [ICSF] [ACtive({date-or-date-time}] [PCICC] [PKDSLBL({PKDS label|*})] [Expire({date-or-date-time})] [SIGnwith({CERTAUTH Label(label-name)|SITECERT Label(label-name)})] [Keyusage([HANDSHAKE][DATAENCRYPT] [DOCSIGN][CERTSIGN][KEYAGREE])] [ALtname([IP=numeric-ip-address] [DOMAIN=internet-domain-name] [EMAIL=email-address] [URI=universal-resource-identifier])] SIGATTR(RSAPSS)
Example: Change the expiration date of a certificate
The date on a certificate is close to expiring. You want to continue to use the certificate for a longer time frame. Alter the validity period of the certificate using the RENEW subcommand:
Renew CERTAUTH.MYCA expire(
12/31/2030
)
In this example, CERTAUTH.MYCA CA certificate has a new expiration date of 12/31/2030.
  • logonid
    |CERTAUTH|SITECERT
    Specifies the logonid that is associated with the certificate. The value can be a one- to eight-character logonid, or a logonid, a dot, and a one- to eight-character suffix. Using CERTAUTH in place of a logonid designates the certificate as a Certification Authority certificate. Using SITECERT in place of a logonid designates the certificate as a site certificate.
  • Label(
    label
    )
    Specifies a one- to 32-character label for the new certificate. The label can contain blanks and mixed-case characters. If a label is not specified, the label field defaults to the uppercase version of the logonid or logonid.suffix that was specified.
  • SUbjsdn(…attributes…)
    Specifies the subject’s distinguished name. The attributes can consist of the following fields. Except as otherwise noted, valid characters for the values of the attributes are any printable ASCII character and the characters in Latin-1 Supplemental character set.
    ACF2
    assumes that the 1047 code page is being used. Values containing spaces must be enclosed in single quotes. Any apostrophes should be doubled. For example, a common name of John T. O'Reiley would be specified as CN='John T. O”Reiley'. Also, unless otherwise specified, each attribute can only be specified once.
    1. A space is the only valid delimiter between specified attributes.
    2. The maximum length for this parameter for a self-signed certificate is 1007.
    3. The maximum length for this parameter for a non self-signed certificate is 1024.
    4. The maximum length for each attribute of this parameter is 64. Multiple blanks are not removed and are included in the lengths.
    5. If the DSNAME keyword is present, the subject's distinguished name from the SUBJSDN keyword is used. If DSNAME and SUBJSDN are not specified, the subject's distinguished name is generated with CN='ACF2 USER:
      logonid
      '.
    • CN=
      common
      -
      name
      Specifies the subject's regular name. For example, Sam Smith would be specified as CN='Sam Smith'. An '*' wildcard character may be used as the leftmost byte of the CN attribute, as in CN='*.example.com'.
    • T=
      title
      Specifies the person's job title. For example, T='Software Developer'.
    • OU=
      organizational
      -
      unit
      -
      name
      Specifies the department or group. This value can be specified multiple times to indicate a hierarchy. For example, OU=Accounting,OU='Accounts Payable'.
    • O=
      organization
      -
      name
      Specifies the name of the company. For example, O='Blue Lock Company'.
    • L=
      locality
      Specifies the city. For example, L='Tom”s River'.
    • S=
      state
      -
      or
      -
      province, SP=state
      -
      or
      -
      province, ST=state
      -
      or
      -
      province
      Specifies the state or province. All three keywords mean the same thing. When the distinguished name displays, state or province displays using 'ST='. State or province must be expressed using the same abbreviations that are used in mail addresses, for example, ST=IL for Illinois.
    • C=
      country
      Specifies the country. This value must be specified using the two-character ISO 3166 country code. For example, C=US for the United States of America, or C=VA for Vatican City.
  • ICSF
    Indicates that the public or private key is placed in the ICSF PKDS. If the DSNAME parameter is also specified and an existing certificate is to be replaced, the existing private key is moved from the Infostorage database to ICSF. ICSF must be active and configured for PKA operations. If it is not, an error message displays when attempting to insert or use the private key. Non-ICSF private keys are stored in a CERTKEYX record that is associated with the CERTDATA record. CERTKEYX records are managed internally by
    ACF2
    .
  • ACtive({date-or-date-time})
    Indicates the date and time that the certificate becomes active, for example, 04/30/01-154403. If no time is specified, it defaults to 000000. If no date is specified, it defaults to the current day and time. The specified year must be from 1950 to 2049. If an expire date is not specified, the active year that is specified must be from 1950 to 2048. This requirement is because the expire date defaults to the active day and time plus one year. Valid date formats include: YY/MM/DD, MM/DD/YY, DD/MM/YY, and DD/MM/YYYY
  • PCICC
    Specifies that the key pair should be generated using the PCI Cryptographic Coprocessor. If the DSNAME parameter is not specified, the private key should be stored in ICSF as an ICSF RSA Chinese Remainder Theorem (CRT) key token. When PCICC is not specified, the key pair is generated using software. If the DSNAME parameter is specified, PCICC can be used with the PKDSLBL field. Doing so specifies that the public key of the new certificate is to be placed in the ICSF PKDS as an RSA Modulus-Exponent key token. If a PCI cryptographic coprocessor is not present or operational, or if ICSF is inactive or configured for PKA operations, an error message displays. Processing terminates.
  • PKDSLBL({PKDS label|*})
    Specifies the PKDS label of the record that is created in the ICSF Public Key Data Set (PKDS). The field is used with the ICSF or PCICC keywords. If PKDSLBL is specified without the ICSF or PCICC keywords, an error message displays. If the PKDS label should be taken from the LABEL keyword, the PKDS label is optional and may be specified as *. The PKDS label must conform to ICSF label syntax rules. The allowed characters are alphanumeric, national (@, #, $), or period (.). The first character must be alphabetic or national. The field can be up to 64 characters and is converted to uppercase.
  • Expire({date-or-date-time})
    Indicates the date and time that the certificate expires, for example, MM/DD/YY. If no time is specified, it defaults to 235959. If no date is specified, it defaults to the active day and time plus one year. The specified year must be from 1950 to 2049. Valid date formats include: YY/MM/DD, MM/DD/YY, DD/MM/YY, and DD/MM/YYYY. The maximum value that can be specified for a certificate expiration date is December 31, 2049 when using
    ACF2
    . Other platforms may have maximum expiration date values that are less than the maximum value that can be set by
    ACF2
    . Use caution when setting an expiration date far into the future. If you pass such a certificate to another platform, ensure that the expiration date falls in the guidelines of the other platform.
  • SIGnwith({CERTAUTH
    Label
    (label
    -
    name)
    |SITECERT
    Label
    (label
    -
    name)
    }), SIGnwith({CERTAUTH
    .suffix
    |SITECERT
    .suffix
    }), SIGnwith(Label
    (label
    -
    name
    ))
    Specifies the certificate that is used to sign the new certificate. If SIGNWITH is not specified, a self-signed certificate is generated. If SIGNWITH contains CERTAUTH or SITECERT, a suffix or label value is used to specify which certificate is used to sign the certificate. If CERTAUTH or SITECERT is not specified, label must be specified. The label identifies the user certificate who signs the new certificate. The logonid that is associated with the label is the user generating the certificate. This option cannot be specified if the certificate being generated is for a CERTAUTH or SITECERT id.
    For every apostrophe that is desired in the Label value, specify two consecutive apostrophes. For example, the Label value, Frank's Certificate, should be specified as, Frank”s Certificate. If a single apostrophe is specified in the Label value, the value is invalid.
  • Keyusage
    Specifies the values of the keyUsage certificate extension. The default for certificate authority certificates is CERTSIGN. CERTSIGN is always set for certificate authority certificates even if not specified. No default exists for non-certificate authority certificates.
    • HANDSHAKE
      Sets the digitalSignature and keyEncipherment bits in the keyUsage extension. This value allows identification and key exchange during security handshakes such as SSL. When the key pair is generated using the DSA algorithm, only the digitalSignature bit is set because the keys cannot be used for encryption.
    • DATAENCRYPT
      Sets the dataEncipherment bit in the keyUsage extension. This value allows the certificate to be used for data encryption. When the key pair is generated using the DSA algorithm, you may not use the DATAENCRYPT keyword in the Keyusage parameter.
    • DOCSIGN
      Sets the nonRepudiation bit in the keyUsage extension. This value allows the certificate to be used in a legally binding signature.
    • CERTSIGN
      Sets the keyCertSign and cRLSign bits in the keyUsage extension. This value lets the certificate sign other digital certificates and CRLs.
  • ALtname
    Specifies the values for the subjectAltName extension. One or more of the values might be specified. The parameter is optional and there is no default. If necessary, the entered values are converted to ASCII.
    • IP=
      numeric
      -
      ip
      -
      address
      Specifies a string containing a fully qualified numeric-ip-address in IPv4 dotted decimal format, IPv6 format, or IPv4 compatible IPv6 address. An IPv4 address is four decimal numbers from 0 through 255 separated by periods. For example: 141.202.1.255. An IPv6 address has eight parts that are divided by colons. Each part has a hexadecimal number between 0 and FFFF. For example: 1080:23B4:324:4:3BCD:26:39F4:332. An IPv4 compatible IPv6 address is a combination of the two, six parts of the IPv6 followed by the IPv4 address. For example: 0:0:0:0:0:FFFF:141.202.1.255.
      The maximum field size is 45 bytes.
    • DOMAIN=
      internet
      -
      domain
      -
      name
      Specifies a fully qualified internet domain name, such as http://broadcom.com. The validity of this value is not checked. The maximum field size is 255 bytes.
    • EMAIL=
      email
      -
      address
      Specifies a fully qualified e-mail address such as [email protected] The maximum field size is 255 bytes.
    • URI=
      universal
      -
      resource
      -
      identifier
      Specifies a universal resource identifier such as http://ca.com. The validity of this field is not checked. The maximum field size is 255 bytes.
  • SIGATTR(RSAPSS)
    Indicates the signature to be generated is in the RSASSA-PSS format. The format must be SIGATTR(RSAPSS). Any other value is an error. When requesting an RSASSA-PSS signature, the key size must be in the range of 2048 through 4096.
    • If the key size is 2048 through 3071, the signature that is generated is sha256rsapss.
    • If the key size is 3072 through 4095, the signature that is generated is sha384rsapss.
    • If the key size is 4096, the default signature value is sha512rsapss.
    The signature size is based on the key size of the signing certificate, not the certificate being generated. For example, if the certificate being generated has a key size of 2048 and the key size of the signer is 3072, the new certificate generates a sha384rsapss signature. You may override the signature to sha256rsapss by specifying HASHALG(SHA256). If you do not specify SIGATTR, the PSS signature is not propagated.