Steps for locating the PKI Services certificates and key ring
Perform the following steps to locate the PKI Services CA certificate,
key ring, and the optional RA certificate:
- Locate the CA certificate using one of the following
two methods (Step 1.a or Step 1.b) and examine its information.
- Locate the CA certificate using the name of its export
data set. (Get the export data set name from cacert_dsn in Table 1.) Display
its information by executing the following RACF® command from a TSO command prompt:
RACDCERT CHECKCERT(cacert_dsn)
Sample output:Digital certificate information for CERTAUTH: Label: Local PKI CA Certificate ID: 2QiJmZmDhZmjgdOWg4GTQNfSyUDDwUBA Status: HIGHTRUST Start Date: 2001/06/04 23:00:00 End Date: 2020/01/01 22:59:59 Serial Number: >00< Issuer's Name: >OU=Human Resources Certificate Authority.O=IBM.C=US< Subject's Name: >OU=Human Resources Certificate Authority.O=IBM.C=US< Key Usage: CERTSIGN Key Type: RSA Key Size: 1024 Private Key: Yes
- Alternately, locate the CA certificate using its
certificate label. (Get the label name from ca_label in Table 1.) Display
its information by entering the following RACF command from a TSO command prompt.
The RACDCERT CERTAUTH LIST command produces the same output as the RACDCERT CHECKCERT (shown in Step 1.a) with the addition of information about any ring associations. For example:RACDCERT CERTAUTH LIST(LABEL('ca_label'))
Sample output:Ring Associations: Ring Owner: PKISRVD Ring: >CAring<
- Examine the CA certificate information. If you are diagnosing
errors, note the following:
- The first line must indicate that this is a CERTAUTH certificate.
- Label must match your ca_label value (as in the preceding table).
- If Serial Number is not equal to 00, this indicates that the certificate has been renewed or was issued by another certificate authority.
- If Issuer's Name differs from Subject's Name, this indicates that the certificate was issued by another certificate authority.
- Subject's Name must match the original value recorded for the PKI Services SUBJECTSDN in the IKYSETUP log.
- Private Key must show YES.
- Key Type indicates whether the key is an RSA, DSA, NISTECC, or BPECC key.
- If Ring Associations are listed, ensure that an association is displayed for the daemon user ID as ring owner and your ca_ring value (from Table 1) as ring name.
_______________________________________________________________
- Locate the CA certificate using the name of its export
data set. (Get the export data set name from cacert_dsn in Table 1.) Display
its information by executing the following RACF® command from a TSO command prompt:
- Locate the CA key ring and examine its information.
- Get the ring name from ca_ring in Table 1 and display
its information by executing the following RACF command from a TSO command prompt:
Sample output:RACDCERT ID(daemon) LISTRING(ca_ring)
Digital ring information for user PKISRVD: Ring: >CAring< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- Local PKI CA CERTAUTH PERSONAL YES Local PKI RA PKISRVD PERSONAL NO
- Examine the key ring information. If you are diagnosing errors,
note the following:
- The entry for the PKI Services CA certificate must have USAGE PERSONAL and DEFAULT YES.
- If you use an optional RA certificate, you see the second line. If present, the entry for the PKI Services RA certificate must have USAGE PERSONAL and DEFAULT NO.
_______________________________________________________________
- Get the ring name from ca_ring in Table 1 and display
its information by executing the following RACF command from a TSO command prompt:
- If you use an optional RA certificate, locate it and
examine its information.
- Locate the RA certificate using its certificate label.
(Get the RA's certificate label from ra_label in Table 1 or from the RACDCERT
LISTRING output shown in Step 2.a.) Display the RA certificate information by executing the following RACF command from a TSO command
prompt:
Sample output:RACDCERT ID(certificate-owner) LIST(LABEL('certificate-label-name'))
Digital certificate information for PKISRVD: Label: Local PKI RA Certificate ID: 2QiJmZmDhZmjgdOWg4GTQNfSyUDDwUBA Status: TRUST Start Date: 2001/06/04 23:00:00 End Date: 2020/01/01 22:59:59 Serial Number: >01< Issuer's Name: >OU=Human Resources Certificate Authority.O=IBM.C=US< Subject's Name: >CN=Registration Authority.OU=Human Resources Certif< >icate Authority.O=IBM.C=US< Key Usage: HANDSHAKE Key Type: RSA Key Size: 1024 Private Key: Yes
- Examine the RA certificate information. If you are diagnosing
errors, note the following:
- The user ID of the certificate owner (indicated in the first line) must match the user ID of the PKI Services daemon.
- Issuer's Name must match the Subject's Name of the CA certificate.
- Private Key must show YES.
- Key Type indicates the key is an RSA key.
_______________________________________________________________
- Locate the RA certificate using its certificate label.
(Get the RA's certificate label from ra_label in Table 1 or from the RACDCERT
LISTRING output shown in Step 2.a.) Display the RA certificate information by executing the following RACF command from a TSO command
prompt: