Using RACF to obtain a certificate for the web server

The IBM® HTTP Server supports using either gskkyman key databases (.kdb files) or RACF® (SAF) key rings for the server's certificate store. You are expected to use SAF key rings if setting up their web server for the first time.
Note: If you have already set up your web server using gskkyman, you can continue to use it.

Use RACDCERT to generate the server certificate signed by the new Certificate Authority.

Example:
RACDCERT GENCERT ID(WEBSRV) SIGNWITH(CERTAUTH LABEL('Local PKI CA')) 
   WITHLABEL('SSL Cert') SUBJECTSDN(CN('www.YourCompany.com') O('Your Company Inc') 
   L('Millbrook') SP('New York') C('US'))

The web server needs a key ring containing its new certificate and any trusted CA certificate. The RACDCERT command with operands ADDRING and CONNECT also sets this up. For example, the RACDCERT commands to create a key ring that is called SSLring for user ID WEBSRV and to connect the web server and CA certificates to it are:

Example:
RACDCERT ADDRING(SSLring) ID(websrv) 
RACDCERT ID(websrv) CONNECT(CERTAUTH LABEL('Local PKI CA')) RING(SSLring) 
   USAGE(PERSONAL) DEFAULT) 
RACDCERT ID(websrv) CONNECT(ID(websrv) LABEL('SSL Cert') RING(SSLring)
   USAGE(PERSONAL) DEFAULT)

Export the CA certificate to an MVS™ data set. Then OPUT it to a file system file so that it can be made available to your clients.

Example:
RACDCERT EXPORT(LABEL(''Local PKI CA')) 
   CERTAUTH DSN('pkisrvd.webroot.derbin') FORMAT(CERTDER)
Parent topic: Actions IKYSETUP performs by issuing RACF commands