Requesting a certificate from a certificate authority

You can use RACF® to request a signing certificate (certificate authority certificate) from a certificate authority such as Verisign. Use an external certificate to authenticate your server to clients that cannot recognize RACF certificates.

Before you begin

You must have authorization to use the RACDCERT command. This command installs and maintains digital certificates, key rings, and digital certificate mappings in RACF.

About this task

RACF supplies certificates for various certificate authorities, so you do not have to define them yourself. These certificates are listed in Supplied digital certificates in z/OS Security Server RACF Security Administrator's Guide.

Procedure

  1. Create a self-signed certificate in RACF as a placeholder: 
    RACDCERT ID(foruser) GENCERT,
 SUBJECTSDN(CN('username') 
           T ('username''s certificate') 
           OU('department') 
           O ('organization') 
           L ('city') 
           SP('state') 
           C ('country'))
 NOTBEFORE(DATE(start) TIME(00:00:00))
 NOTAFTER (DATE(finish) TIME(23:59:59))
 WITHLABEL(self-signed-certlabel)
 SIZE     (1024)
  2. Generate a certificate request, based on the placeholder certificate, to send to your external certificate authority. Use the RACDCERT GENREQ command: 
    RACDCERT ID(cics-region-userid) GENREQ(LABEL('label'))
         DSN('request.dataset')
    where label is the placeholder self-signed certificate.
    RACF saves the certificate request in the data set specified in the DSN parameter.
  3. Send the certificate request to the certificate authority, using a method that the certificate authority accepts.
  4. When you receive the certificate, save it in a new data set.
  5. Optional: If you are using a certificate authority that is not one of the default certificate authorities, for which certificates are already stored in the key database, you must import the certificate authority's certificate into your RACF database.
  6. Replace the self-signed certificate with your new CA-signed certificate: 
    RACDCERT ID(cics-region-userid) ADD('response.dataset') TRUST

What to do next

Create the key ring in the RACF database and add your CA-signed certificate.