If a certificate has been registered in the RACF® database, but you do not want it to be used by clients, you can mark it as UNTRUSTED using the RACDCERT command. To do this, first issue:
RACDCERT ID(userid) LIST
to find the label associated with
the certificate you wish to change, and then issue:
RACDCERT ID (userid) ALTER(LABEL(label)) NOTRUST
to mark the certificate as untrusted. Clients are then prevented from
establishing CLIENTAUTH connections with this certificate.