Using the RACDCERT command to administer certificates

The RACDCERT command is used to store and maintain digital certificate information in RACF®, and should be used for all maintenance of certificate profiles and related user profile fields. For more information on these formats see z/OS Security Server RACF Command Language Reference.

The RACDCERT command can be used to perform the following functions:

List information about the certificates for a specified RACF-defined user ID, or your own user ID.
Add a certificate and associate it with a specified RACF-defined user ID, or your own user ID, and set the TRUST status.
Alter the TRUST status or label for a certificate.
Delete a certificate.
Add or remove a certificate from a key ring.
Create, delete, or list a key ring.
Generate a public/private key pair and certificate, replicate a digital certificate with a new public/private key pair, or retire the use of an existing private key.
Write (export) a certificate or certificate package to a data set.
Create a certificate request.
Create, alter, delete, or list a certificate name filter (user ID mapping).
Add, delete, or list a z/OS® PKCS #11 token.
Bind a certificate to a z/OS PKCS #11 token.
Remove (unbind) a certificate from a z/OS PKCS #11 token.
Import a certificate (with its private key, if present) from a z/OS PKCS #11 token and add it to RACF.
List the content of a certificate and its issuers’ certificates and list information that can cause the certificate to be unusable.
Check whether a data set contains a valid chain of certificates and whether they have been installed in RACF.

The RACDCERT command is your primary administrative tool for managing digital certificates using RACF. Authority to use the RACDCERT command is controlled through resources in the FACILITY class. The RACDCERT command is used to manage resources in the following classes:

DIGTCERT: Profiles in the DIGTCERT class contain information about digital certificates, as well as the certificate itself and the private key, if any. For more information, see DIGTCERT general resource profiles.
DIGTRING: Profiles in the DIGTRING class contain information about key rings and the certificates that are part of each key ring. Key rings are named collections of the personal, site and certificate-authority certificates associated with a specific user. For more information, see DIGTRING general resource profiles.
DIGTNMAP: Profiles in the DIGTNMAP class contain information about certificate name filters. For more information, see DIGTNMAP general resource profiles.
USER: Profiles in the USER class contain information about digital certificates that are associated with the user.
This information is used by the RACDCERT command in its processing and by the DELUSER command to clean up certificate-related resources owned by the user ID being deleted.

Restriction: Profiles in the DIGTCERT, DIGTRING, and DIGTNMAP classes are automatically maintained through RACDCERT command processing. You cannot administer profiles in these classes using the RDEFINE, RALTER, and RDELETE commands. These commands do not operate with profiles in the DIGTCERT, DIGTRING, and DIGTNMAP classes. Because these profiles contain lowercase characters, the SEARCH FILTER and RLIST commands are not intended for use and will deliver unpredictable results.

You need not activate the DIGTCERT, DIGTCRIT, and DIGTRING classes to use resources in those classes. However, performance is improved when you activate and RACLIST the DIGTCERT and DIGTCRIT classes. See RACLISTing the DIGTCERT class and RACLISTing the DIGTCRIT class.

See z/OS Security Server RACF Command Language Reference for more information about the RACDCERT command.

See RRSF considerations for digital certificates for information about propagating updates made by the RACDCERT command to other nodes in an RRSF network.