z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for changing PKI Services from a self-signed CA to an intermediate CA

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Before you begin

  1. This procedure assumes that the PKI Services CA certificate is issued by a root, or self-signed, CA.
  2. The commands in the steps that follow include several variables. The following table describes these variables. Determine the values for these variables and record the information in the blank boxes:
    Table 1. Information you need for establishing PKI Services as an intermediate CA
    Information needed Where to find this information Record your value here
    cacert_dsn - The data set name of the new PKI Services CA certificate.    
    ca_label - The label of your CA certificate in RACF® See Table 1.  
    export_dsn - The data set name of the root CA certificate as exported from RACF.    
    temp_dsn - The name of the temporary data set to contain your new certificate request and returned certificate. You decide this based on local data set naming conventions.  

Procedure

Perform the following steps to change PKI Services from a self-signed certificate authority to an intermediate certificate authority:
  1. Determine what certificate authority will be acting as a higher authority for PKI Services. (This could be a public certificate authority, such as VeriSign, or a local, internal certificate authority, perhaps even another instance of PKI Services.)

    _______________________________________________________________

  2. Create a new certificate request from your existing self-signed CA certificate by entering the following RACF command from a TSO command prompt:
    RACDCERT CERTAUTH GENREQ(LABEL('ca_label')) DSN(temp_dsn)

    _______________________________________________________________

  3. Send the certificate request to the higher certificate authority, following the procedures that the higher authority requires.

    _______________________________________________________________

  4. If the root CA is not one that is already known by RACF, then add the root CA to RACF as a certificate authority. To do this:
    1. Receive the root CA certificate and place it into the certificate data set (temp_dsn).
      Note: The procedure for doing this can vary greatly depending on how the higher certificate authority delivered the certificate:
      • If the certificate is delivered as base64 encoded text, the easiest way to deposit the certificate into the data set is to edit the certificate data set:
        1. Delete all existing lines in temp_dsn.
        2. Copy the base64 encoded text.
        3. Paste the copied text into the ISPF edit window.
        4. Save.
      • If the certificate is delivered as binary data (also called DER encoded), the easiest way to deposit the certificate into the data set is to use binary FTP.
    2. Add the new root CA certificate into the RACF database by entering the following RACF command from a TSO command prompt:
      RACDCERT CERTAUTH ADD(temp_dsn) WITHLABEL('label-for-root-CA')

    _______________________________________________________________

  5. Add the new PKI Services CA to RACF as a certificate authority:
    1. Receive the PKI Services CA certificate and place it into the certificate data set (cacert_dsn). This step is similar to step 4, except that it uses cacert_dsn as the data set name instead of temp_dsn, because you want to keep the PKI Services CA certificate permanently in the data set cacert_dsn.
    2. Add the new PKI Services CA certificate back into the RACF database by entering the following RACF command from a TSO command prompt: 
      RACDCERT CERTAUTH ADD(cacert_dsn)

      Guideline: Do not specify a label on this command.

    _______________________________________________________________

  6. Export the root CA certificate in DER format to the export data set by entering the following RACF command from a TSO command prompt: 
    RACDCERT CERTAUTH EXPORT(LABEL('label-for-root-CA')) DSN(export_dsn) 
   FORMAT(CERTDER)

    _______________________________________________________________

  7. Make your new root CA certificate available to your clients, because it becomes the Web server's root CA certificate too. To do this, set up the var directory by performing Step 2 through Step 4 in Steps for setting up the var directory.
    Note: Make sure that the root CA certificate, not your intermediate CA certificate, is stored in /var/pkiserv/cacert.der.

    _______________________________________________________________

Parent topic: Establishing PKI Services as an intermediate CA

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014