Perform the following steps to create your CA certificate, RA certificate,
and their associated keys, back up the keys, connect them to a key
ring and authorize PKI Services to use them.
Before you begin
Determine
the CA or RA's distinguished name and where it will be located (under
CERTAUTH for the CA and under the PKI Services daemon user
ID for the RA). Typically, CAs and RAs have distinguished names in
the following form:
OU=your-CA-or-RA's-friendly-name.O=your-organization.C=your-two-letter-country-abbreviation
Procedure
- Create your CA certificate, and optional RA certificate, and their
associated private keys using the RACDCERT GENCERT command. If you
create an optional RA certificate, it must be signed by the CA certificate.
- This example creates a 20-year CERTAUTH certificate
with a distinguished name of OU=Human Resources Certificate
Authority.O=Your Company, Inc.C=US.
RACDCERT CERTAUTH GENCERT SUBJECTSDN(
OU('Human Resources Certificate Authority')
O('Your Company, Inc') C('US')) WITHLABEL('Local PKI CA') HIGHTRUST
NOTAFTER(DATE(2026/05/06))
SIZE(1024) KEYUSAGE(HANDSHAKE)
SIGNWITH(CERTAUTH LABEL('Local Root CA'))
- This example creates a 20-year RA certificate signed by the CA
certificate created in Example 1.a.
RACDCERT GENCERT ID(PKISERVD) SUBJECTSDN(
CN('Registration Authority')
OU('Human Resources Certificate Authority')
O('Your Company, Inc') C('US')) WITHLABEL('Local PKI RA')
NOTAFTER(DATE(2026/05/06))
SIZE(1024) KEYUSAGE(HANDSHAKE)
SIGNWITH(CERTAUTH LABEL('Local PKI CA'))
- Back up your CA certificate, RA certificate (if created), and
their associated private keys to password-protected data sets using
the RACDCERT EXPORT command.
RACDCERT CERTAUTH EXPORT(LABEL('Local PKI CA'))
DSN('PKISRVD.PRIVATE.KEY.P12BIN')
FORMAT(PKCS12DER) PASSWORD('your-passphrase')
RACDCERT ID(PKISRVD) EXPORT(LABEL('Local PKI RA'))
DSN('PKISRVD.PRIVATE.RAKEY.P12BIN')
FORMAT(PKCS12DER) PASSWORD('your-passphrase')
- (Optional) If you want to use ICSF for private key protection
and signing, migrate the private keys to ICSF using the RACDCERT ADD
command. For this step to be successful, ICSF must be operational
and configured for RSA operations. (For additional information about
ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.)
RACDCERT CERTAUTH ADD('PKISRVD.PRIVATE.KEY.P12BIN') PASSWORD('your-passphrase') ICSF
RACDCERT CERTAUTH ADD('PKISRVD.PRIVATE.RAKEY.P12BIN') PASSWORD('your-passphrase') ICSF
- Create a key ring for the PKI Services daemon and add the CA certificate
and RA certificate (if created) to it so that PKI Services can use
the certificates. The example creates a key ring called CAring for
user ID PKISRVD and connects the CA and RA certificates to it.
Important:
Make sure your CA certificate is marked with the TRUST or HIGHTRUST
attribute in RACF®. (Otherwise, PKI Services will not
be able to use the certificate.) Check this by issuing the RACDCERT
LIST command and execute the RACDCERT ALTER command to change it if
needed.
RACDCERT ADDRING(CAring) ID(PKISRVD)
RACDCERT ID(PKISRVD) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(CAring
USAGE(PERSONAL) DEFAULT)
RACDCERT ID(PKISRVD) CONNECT(ID(PKISRVD) LABEL('Local PKI RA') RING(CAring)
USAGE(PERSONAL))
- Authorize the PKI Services daemon to use RACF certificates and act as the CA. The daemon
user ID (PKISRVD) needs access to the FACILITY class resources listed
in Table 1. RACLIST the FACILITY class
if it is not already RACLISTed. Define the FACILITY class resources.
When the definitions are complete, refresh the FACILITY class.
SETROPTS RACLIST(FACILITY)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT
RDEFINE FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(PKISRVD) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Table 1. Access PKISRVD needs to
use RACF certificatesResource |
Access |
---|
IRR.DIGTCERT.GENCERT |
- CONTROL (if the CA certificate was created under CERTAUTH)
- READ (if the certificate was created under the PKI Services daemon
user ID)
|
IRR.DIGTCERT.LISTRING |
READ |
IRR.DIGTCERT.LIST |
READ |