Create a RACF signed personal certificate

RACF can function as a certificate authority and issue its own CA certificate.

This section uses the term signer certificate to denote a CA certificate issued by RACF.

The private key for the signer certificate must be in the RACF database before you carry out the following procedure:
  1. Use the following command to generate a personal certificate signed by RACF, using the signer certificate contained in your RACF database:
    RACDCERT ID(userid2) GENCERT
    SUBJECTSDN(CN('common-name')
               T('title')
               OU('organizational-unit')
               O('organization')
               L('locality')
               SP('state-or-province')
               C('country'))
    WITHLABEL('label-name')
    SIGNWITH(CERTAUTH LABEL('signer-label'))
    
  2. Connect the certificate to your key ring using the following command:
    RACDCERT ID(userid1)
    CONNECT(ID(userid2) LABEL('label-name') RING(ring-name) USAGE(PERSONAL))
    

where:

  • userid1 is the user ID of the channel initiator address space or owner of the shared key ring.
  • userid2 is the user ID associated with the certificate and must be the user ID of the channel initiator address space.

    userid1 and userid2 can be the same ID.

  • ring-name is the name you gave the key ring in Set up a key repository on z/OS.
  • label-name must be either the value of the IBM MQ CERTLABL attribute, if it is set, or the default ibmWebSphere MQ with the name of the queue manager or queue sharing group appended. See Digital certificate labels for details.
  • signer-label is the label of our own signer certificate.

Parent topic: Work with SSL/TLS on z/OS