Adding personal certificates to a key repository on z/OS

Use this procedure to add or import a personal certificate to a key ring.

After the certificate authority sends you a new personal certificate, add it to the key ring using the following procedure:
  1. Add the certificate to the RACF database using the following command:
    RACDCERT ID( userid2 ) ADD( input-data-set-name ) WITHLABEL(' label-name ')
    
  2. Connect the certificate to your key ring using the following command:
    RACDCERT ID( userid1 )
    CONNECT(ID( userid2 ) LABEL(' label-name ') RING( ring-name ) USAGE(PERSONAL))
    

where:

  • userid1 is the user ID of the channel initiator address space or owner of the shared key ring.
  • userid2 is the user ID associated with the certificate and must be the user ID of the channel initiator address space.
  • ring-name is the name you gave the key ring in Set up a key repository on z/OS.
  • input-data-set-name is the name of the data set containing the CA signed certificate. The data set must be cataloged and must not be a PDS or a member of a PDS. The record format (RECFM) expected by RACDCERT is VB. RACDCERT dynamically allocates and opens the data set, and reads the certificate from it as binary data.
  • label-name is the label name that was used when you created the original request. It must be either the value of the IBM MQ CERTLABL attribute, if it is set, or the default ibmWebSphereMQ with the name of the queue manager or queue sharing group appended. See Digital certificate labels for details.

Parent topic: Work with SSL/TLS on z/OS