Steps for setting up a certificate for a CMP requester

Perform the following steps to set up a certificate in the RACF® database for a CMP requester.

Before you begin

You need to have RACF SPECIAL authorization, or authorization to the RACDCERT commands shown. For more information, see z/OS Security Server RACF Command Language Reference.

Procedure

  1. Generate a certificate for the CMP requester in the RACF database, signed by a certificate that is in the HTTP Server's key ring.
    Example: 
    RACDCERT ID(User123) GENCERT
SUBJECT(CN('Messager') OU('OrgUnitA') O('OrgA') C('AU'))
WITHLABEL('client') SIGNWITH(CERTAUTH LABEL('Master PKI CA'))

    _______________________________________________________________

  2. Export the certificate and its private key to a data set.
    Example: 
    RACDCERT ID(User123) EXPORT(LABEL('client'))
DSN('User123.private.eecert') FORMAT(PKCS12B64)
PASSWORD('secret')
    Tip: You could use FORMAT(PKCS12DER) if you do not plan to use copy and paste operations to transport the certificate and private key to the client system.

    _______________________________________________________________

  3. Transport the certificate to the system where the CMP client will run. You can do this using FTP, or perhaps by copy and paste operations, depending on the CMP client software.

    _______________________________________________________________

Results

When you are done, the client can make CMP requests to PKI Services.

Parent topic: Setting up a client to make CMP requests to PKI Services