Scenario 5: Creating client browser certificates with a locally signed certificate
The installation wants to locally issue client browser certificates.
This is similar to Scenario 2: Secure server with a locally signed certificate in that a local
certificate-authority certificate must first be created. In this case,
a client certificate is created, locally signed, exported from RACF® in PKCS #12 format, and imported
into the user's browser.
- Follow Steps 1 through 6 as described in Scenario 2: Secure server with a locally signed certificate to create a local certificate-authority certificate to use for signing client browser certificates.
- User
MARKN
can obtain a local browser certificate for himself using the following command:RACDCERT ID(MARKN) GENCERT SUBJECTSDN(CN('Mark Napolitano') OU('Local Certificate Authority') O('XYZZY') C('US')) WITHLABEL('My Browser Cert') KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('XYZZY Local Certificate Authority'))
- Export the certificate and private key to an MVS™ data set
in PKCS #12 binary form where the password is
'The circus is coming'
:RACDCERT ID(MARKN) EXPORT (LABEL('My Browser Cert')) DSN('MARKN.BROWSERC.P12BIN') PASSWORD('The circus is coming') FORMAT(PKCS12DER)
- Use FTP to send the exported certificate data set in binary format
to the target workstation. Use the appropriate browser-specific procedure
to import the PKCS #12 package.Note: RACF is not involved with this step.
- Optionally, the certificate labeled
'My Browser Cert'
can be deleted from the RACF database if an appropriate certificate name filter is available to provide a user ID association, and the specific association between this certificate and the user IDMARKN
is not required.