I have never tried it with an expired cert but have you tried to change the end date in the expired cert yet to see if that fixes your problem. When creating certs I always change the expire date to something way out there so I do not have problems.
Michael Saraco Systems Consultant 303-838-3374 x115 Cell 507-525-0530 From: Mark Pace <[email protected]> To: [email protected] Date: 06/02/2009 01:05 PM Subject: Re: SSL certificate renewal Sent by: IBM Mainframe Discussion List <[email protected]> Yes - all my users receive the certificate, and that is why I had hoped to renew it with the same key, so I would not have to send out a new cert to all the users. It's looking more like I will have to generate a new certificate and send it out. On Tue, Jun 2, 2009 at 1:56 PM, Richard Peurifoy <[email protected]>wrote: > Mark Pace wrote: > >> Trying to follow the directions in the RACF manual to renew a self-signed >> certificate that expired. >> >> A display for ID TN3270 >> >> Label:TnServerCert >> Certificate ID:2Qbj1fPy9/DjleKFmaWFmcOFmaNA >> Status:TRUST >> Start Date:2008/05/30 00:00:00 >> End Date: 2009/05/30 23:59:59 >> Serial Number:00 >> Issuer's Name:CN=zos19.OU=IT.O=Mainline.C=US >> Subject's Name:CN=zos19.OU=IT.O=Mainline.C=US >> Private Key Type:Non-ICSF >> Private Key Size:1024 >> Ring Associations: >> Ring Owner:TN3270 >> Ring:TNRING >> >> So I see it exists and it's expired. >> Next create a certificate request based on the old certificate. >> *racdcert id(TN3270) genreq(label('TnServerCert')) >> dsn('ibmuser.cert.req')* >> This executes and creates the IBMUSER.CERT.REQ file. >> >> Then renew and replace the certficate. >> *racdcert id(TN3270) gencert('ibmuser.cert.req') >> signwith(label('TnServerCert')) >> * >> *IRRD107I No matching certificate was found for this user.* >> >> I can't figure out why it says this certificate is not found, when I >> clearly >> displayed it earlier. >> >> > I think you need "signwith(id(TN3270) label('TnServerCert'))", > however, I have never tried signing a cert with itself, so I > don't know if this works. > > Do others have a copy of this cert on their TN3270 clients, > or do they just accept a self-signed cert? > > If they just accept the self-signed cert, just create a new > one. > > Alternatively, you could create a signing cert with a long > End Date and use that to sign your cert. If the clients have > a copy of your cert, just give them a copy of your signig > cert to use as the CA for your TN3270 cert. > > -- > Richard > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Mark Pace Mainline Information Systems 1700 Summit Lake Drive Tallahassee, FL. 32317 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
