gskkyman is a z/OS® shell-based program that creates, completes, and manages a z/OS file or z/OS PKCS #11 token that contains PKI private keys, certificate requests, and certificates. The z/OS file is called a key database and, by convention, has a file extension of .kdb. There is also an .rdb file that is a counterpart to the .kdb file.

The gskkyman utility only supports clear key operations.

The gskkyman utility only supports certificates that conform to RFC 2459: X.509 certificate, certificate revocation list, and certificate extensions or RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile certificates can be used with gskkyman provided they conform to RFC 3280 rules for the certificate issuer name and subject name comparisons. Specifically, RFC 3280 indicates that UTF-8 values in the distinguished names must pass a case-sensitive (exact match) comparison to be considered equal. The gskkyman utility uses the issuer name and subject name values in the certificate to determine if a certificate is self-signed, and to perform certificate chaining. Therefore, gskkyman expects distinguished name attribute values to match according to a case-sensitive comparison when they are encoded as UTF-8 strings. Certificates that contain distinguished names with UTF-8 encoded attribute values for either the issuer name, the subject name, or both, that match through a case-insensitive comparison, can be created according to RFC 5280. Such certificates cause the gskkyman utility to fail checking for self-signed certificates and fail to correctly build certificate chains. Therefore, these certificates cannot be used with gskkyman.