Server certificate revocation

If a certificate on a resource manager is compromised, we can revoke the certificate and then replace it with a new certificate.

If the certificate on a C-based resource manager is compromised, we can run the svrsslcfg -chgcert utility to replace the existing server certificate and update the PDCA certificate.

For resource managers based on Java™, use the PDAppSvrConfig.replaceAppSvrCert() method.

You also can reconfigure a C-based server by running the svrsslcfg -unconfig and svrsslcfg -config utilities. The policy server must be running when you reconfigure it. These commands update both the server certificate for the authorization server and its trusted certificate (the new PDCA certificate). Similarly, a resource manager based on Java can be unconfigured and reconfigured with the Java SvrSslCfg class.

Parent topic: Certificate and password management