z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Export a public key to an X.509 certificate for importation elsewhere

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

This service is used to encase the public half of a public/private key PKDS record into an X.509 digital certificate so that it may be sent to another party. Then you may receive data from another party enciphered under the public key which you may recover using the same PKDS record.

  • The certificate created will be stored in an MVS physical sequential data set.
  • The output data set will be created by the service with RECFM(V B).
  • You must supply the data set name where the certificate is to be stored.
  • The data set should not exist prior to export.
    • If the data set exists prior to export, its contents will be destroyed and the data set reallocated new.
  • The data set can not be a PDS or PDS member.
  • You may specify a value for the subject's common name in the certificate, if desired.
    • If no value is specified, the PKDS record's label will be used as the common name.
  • Callable services:
    • CSNDKRR - reads the record from the PKDS
    • CSNDPKX - extracts just the public key from the record
    • CSNBOWH - hashes the to-be-signed portion of the generated certificate
    • CSNDDSG - signs the hash
Note:
  1. The key record specified must be a public or private key pair record and must support signing.
  2. The certificate's validity date range is hard coded to be July 1, 2005 - December 31, 2040 UTC.
  3. The certificate created will be self-signed and DER encoded (binary).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014