z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for establishing your CA and RA certificates

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to create your CA certificate, RA certificate, and their associated keys, back up the keys, connect them to a key ring and authorize PKI Services to use them.

Before you begin

Determine the CA or RA's distinguished name and where it will be located (under CERTAUTH for the CA and under the PKI Services daemon user ID for the RA). Typically, CAs and RAs have distinguished names in the following form:

OU=your-CA-or-RA's-friendly-name.O=your-organization.C=your-two-letter-country-abbreviation

Procedure

  1. Create your CA certificate, and optional RA certificate, and their associated private keys using the RACDCERT GENCERT command. If you create an optional RA certificate, it must be signed by the CA certificate.
    1. This example creates a 20-year CERTAUTH certificate with a distinguished name of OU=Human Resources Certificate Authority.O=Your Company, Inc.C=US.
      RACDCERT CERTAUTH GENCERT SUBJECTSDN(
   OU('Human Resources Certificate Authority')
   O('Your Company, Inc')  C('US')) WITHLABEL('Local PKI CA') HIGHTRUST
   NOTAFTER(DATE(2026/05/06))
   SIZE(1024) KEYUSAGE(HANDSHAKE)
   SIGNWITH(CERTAUTH LABEL('Local Root CA'))
    2. This example creates a 20-year RA certificate signed by the CA certificate created in Example 1.a.
      RACDCERT GENCERT ID(PKISERVD) SUBJECTSDN(
   CN('Registration Authority')
   OU('Human Resources Certificate Authority')
   O('Your Company, Inc')  C('US')) WITHLABEL('Local PKI RA')
   NOTAFTER(DATE(2026/05/06))
   SIZE(1024) KEYUSAGE(HANDSHAKE)
   SIGNWITH(CERTAUTH LABEL('Local PKI CA'))
  2. Back up your CA certificate, RA certificate (if created), and their associated private keys to password-protected data sets using the RACDCERT EXPORT command. 
    RACDCERT CERTAUTH EXPORT(LABEL('Local PKI CA'))
   DSN('PKISRVD.PRIVATE.KEY.P12BIN')
   FORMAT(PKCS12DER) PASSWORD('your-passphrase')

RACDCERT ID(PKISRVD) EXPORT(LABEL('Local PKI RA'))
   DSN('PKISRVD.PRIVATE.RAKEY.P12BIN') 
   FORMAT(PKCS12DER) PASSWORD('your-passphrase')
  3. (Optional) If you want to use ICSF for private key protection and signing, migrate the private keys to ICSF using the RACDCERT ADD command. For this step to be successful, ICSF must be operational and configured for RSA operations. (For additional information about ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.)
    RACDCERT CERTAUTH ADD('PKISRVD.PRIVATE.KEY.P12BIN') PASSWORD('your-passphrase') ICSF

RACDCERT CERTAUTH ADD('PKISRVD.PRIVATE.RAKEY.P12BIN') PASSWORD('your-passphrase') ICSF
  4. Create a key ring for the PKI Services daemon and add the CA certificate and RA certificate (if created) to it so that PKI Services can use the certificates. The example creates a key ring called CAring for user ID PKISRVD and connects the CA and RA certificates to it.

    Important: Make sure your CA certificate is marked with the TRUST or HIGHTRUST attribute in RACF®. (Otherwise, PKI Services will not be able to use the certificate.) Check this by issuing the RACDCERT LIST command and execute the RACDCERT ALTER command to change it if needed.

    RACDCERT ADDRING(CAring) ID(PKISRVD)

RACDCERT ID(PKISRVD) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(CAring 
   USAGE(PERSONAL) DEFAULT)

RACDCERT ID(PKISRVD) CONNECT(ID(PKISRVD) LABEL('Local PKI RA') RING(CAring)
   USAGE(PERSONAL))
  5. Authorize the PKI Services daemon to use RACF certificates and act as the CA. The daemon user ID (PKISRVD) needs access to the FACILITY class resources listed in Table 1. RACLIST the FACILITY class if it is not already RACLISTed. Define the FACILITY class resources. When the definitions are complete, refresh the FACILITY class.
    SETROPTS RACLIST(FACILITY)

RDEFINE FACILITY IRR.DIGTCERT.GENCERT
RDEFINE FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST

PERMIT IRR.DIGTCERT.GENCERT  CLASS(FACILITY) ID(PKISRVD) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)

SETROPTS RACLIST(FACILITY) REFRESH
    Table 1. Access PKISRVD needs to use RACF certificates
    Resource Access
    IRR.DIGTCERT.GENCERT
    • CONTROL (if the CA certificate was created under CERTAUTH)
    • READ (if the certificate was created under the PKI Services daemon user ID)
    IRR.DIGTCERT.LISTRING READ
    IRR.DIGTCERT.LIST READ
Parent topic: Establishing your CA and RA certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014