Create a self-signed personal certificate on z/OS

Use this procedure to create a self-signed personal certificate.

  1. Generate a certificate and a public and private key pair using the following command:
    RACDCERT ID(userid2) GENCERT
    SUBJECTSDN(CN('common-name')
               T('title')
               OU('organizational-unit')
               O('organization')
               L('locality')
               SP('state-or-province')
               C('country'))
    WITHLABEL('label-name')
    
  2. Connect the certificate to your key ring using the following command:
    RACDCERT ID(userid1)
    CONNECT(ID(userid2) LABEL('label-name') RING(ring-name) USAGE(PERSONAL))
    

where:

  • userid1 is the user ID of the channel initiator address space or owner of the shared key ring.
  • userid2 is the user ID associated with the certificate and must be the user ID of the channel initiator address space.

    userid1 and userid2 can be the same ID.

  • ring-name is the name you gave the key ring in Set up a key repository on z/OS.
  • label-name must be either the value of the IBM MQ CERTLABL attribute, if it is set, or the default ibmWebSphereMQ with the name of the queue manager appended. See Digital certificate labels for details.

Parent topic: Work with SSL/TLS on z/OS