This step involves using RACF® commands to create a CA certificate, a signed personal certificate and a keyring on the server.
You perform these tasks on the z/OS® platform by issuing RACDCERT (RACF digital certificate) commands. The RACDCERT commands enable you to create and maintain digital certificates, and to create the keyrings which act as repositories for digital certificates.
RACDCERT CERTAUTH GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG CA CERT') C('GB'))
KEYUSAGE(CERTSIGN) WITHLABEL('CTG CA CERT')
SETR RACLIST(DIGTCERT) REFRESH
RACDCERT CERTAUTH LIST(LABEL('CTG CA CERT'))
RACDCERT ID(CTGUSER) GENCERT SUBJECTSDN(OU('CTG TEST') O('IBM') T('CTG PERSONAL CERT') C('GB'))
WITHLABEL('CTG PERSONAL CERT') SIGNWITH(CERTAUTH LABEL('CTG CA CERT'))
Where CTGUSER is a valid RACF user ID.SETR RACLIST(DIGTCERT) REFRESH
RACDCERT ADDRING(CTGKEYRING) ID(CTGUSER)
RACDCERT ID(CTGUSER) CONNECT(CERTAUTH LABEL('CTG CA CERT') RING(CTGKEYRING)
USAGE(CERTAUTH))
RACDCERT ID(CTGUSER) CONNECT(LABEL('CTG PERSONAL CERT') RING(CTGKEYRING)
DEFAULT USAGE(PERSONAL))
RACDCERT LISTRING(CTGKEYRING) ID(CTGUSER)
Here
is an example of the output generated by this command:Ring:
>CTGKEYRING<
Certificate Label Name Cert Owner USAGE DEFAULT
---------------------------------- ----------- ----- -------
CTG CA CERT CERTAUTH CERTAUTH NO
CTG PERSONAL CERT ID(CTGUSER) PERSONAL YES
RACDCERT ID(CTGUSER) EXPORT(LABEL('CTG PERSONAL CERT')) DSN('CTGUSER.PERSONAL.CERT')
FORMAT(CERTB64)
The FORMAT(CERTB64)
specifies that the certificate is stored in ASCII format. Use ISPF
3.4 to view the certificate.