Steps for locating the PKI Services certificates and key ring

Perform the following steps to locate the PKI Services CA certificate, key ring, and the optional RA certificate:

Locate the CA certificate using one of the following two methods (Step 1.a or Step 1.b) and examine its information.
1. Locate the CA certificate using the name of its export data set. (Get the export data set name from cacert_dsn in Table 1.) Display its information by executing the following RACF® command from a TSO command prompt:
```
RACDCERT CHECKCERT(cacert_dsn)
```
  Sample output:
```
Digital certificate information for CERTAUTH:                  
  Label: Local PKI CA                                          
  Certificate ID: 2QiJmZmDhZmjgdOWg4GTQNfSyUDDwUBA             
  Status: HIGHTRUST                                            
  Start Date: 2001/06/04 23:00:00                              
  End Date:   2020/01/01 22:59:59                              
  Serial Number:                                               
       >00<                                                    
  Issuer's Name:                                               
       >OU=Human Resources Certificate Authority.O=IBM.C=US<   
  Subject's Name:                                              
       >OU=Human Resources Certificate Authority.O=IBM.C=US<   
  Key Usage: CERTSIGN                                          
  Key Type: RSA
  Key Size: 1024
  Private Key: Yes   
```
2. Alternately, locate the CA certificate using its certificate label. (Get the label name from ca_label in Table 1.) Display its information by entering the following RACF command from a TSO command prompt.
```
RACDCERT CERTAUTH LIST(LABEL('ca_label'))
```
  The RACDCERT CERTAUTH LIST command produces the same output as the RACDCERT CHECKCERT (shown in Step 1.a) with the addition of information about any ring associations. For example:
  Sample output:
```
Ring Associations:    
  Ring Owner: PKISRVD 
  Ring:               
     >CAring<     
```
3. Examine the CA certificate information. If you are diagnosing errors, note the following:
  - The first line must indicate that this is a CERTAUTH certificate.
  - Label must match your ca_label value (as in the preceding table).
  - If Serial Number is not equal to 00, this indicates that the certificate has been renewed or was issued by another certificate authority.
  - If Issuer's Name differs from Subject's Name, this indicates that the certificate was issued by another certificate authority.
  - Subject's Name must match the original value recorded for the PKI Services SUBJECTSDN in the IKYSETUP log.
  - Private Key must show YES.
  - Key Type indicates whether the key is an RSA, DSA, NISTECC, or BPECC key.
  - If Ring Associations are listed, ensure that an association is displayed for the daemon user ID as ring owner and your ca_ring value (from Table 1) as ring name.
_______________________________________________________________

Locate the CA key ring and examine its information.

Get the ring name from ca_ring in Table 1 and display its information by executing the following RACF command from a TSO command prompt:

RACDCERT ID(daemon) LISTRING(ca_ring)

Sample output:

Digital ring information for user PKISRVD:                            
                                                                      
  Ring:                                                               
       >CAring<                                                       
  Certificate Label Name             Cert Owner     USAGE      DEFAULT
  --------------------------------   ------------   --------   -------
  Local PKI CA                       CERTAUTH       PERSONAL     YES  
  Local PKI RA                       PKISRVD        PERSONAL     NO

Examine the key ring information. If you are diagnosing errors, note the following:
- The entry for the PKI Services CA certificate must have USAGE PERSONAL and DEFAULT YES.
- If you use an optional RA certificate, you see the second line. If present, the entry for the PKI Services RA certificate must have USAGE PERSONAL and DEFAULT NO.

_______________________________________________________________

If you use an optional RA certificate, locate it and examine its information.

Locate the RA certificate using its certificate label. (Get the RA's certificate label from ra_label in Table 1 or from the RACDCERT LISTRING output shown in Step 2.a.) Display the RA certificate information by executing the following RACF command from a TSO command prompt:

RACDCERT ID(certificate-owner) LIST(LABEL('certificate-label-name'))

Sample output: Start of change

Digital certificate information for PKISRVD:                   
  Label: Local PKI RA                                          
  Certificate ID: 2QiJmZmDhZmjgdOWg4GTQNfSyUDDwUBA             
  Status: TRUST                                                
  Start Date: 2001/06/04 23:00:00                              
  End Date:   2020/01/01 22:59:59                              
  Serial Number:                                               
       >01<                                                    
  Issuer's Name:                                               
       >OU=Human Resources Certificate Authority.O=IBM.C=US<   
  Subject's Name:                                              
       >CN=Registration Authority.OU=Human Resources Certif<   
       >icate Authority.O=IBM.C=US<                            
  Key Usage: HANDSHAKE                                         
  Key Type: RSA
  Key Size: 1024
  Private Key: Yes

Examine the RA certificate information. If you are diagnosing errors, note the following:
- The user ID of the certificate owner (indicated in the first line) must match the user ID of the PKI Services daemon.
- Issuer's Name must match the Subject's Name of the CA certificate.
- Private Key must show YES.
- Key Type indicates the key is an RSA key.

_______________________________________________________________