Requesting a certificate from a certificate authority

You can use RACF to request a signing certificate (certificate authority certificate) from a certificate authority such as Verisign. Use an external certificate to authenticate your server to clients that cannot recognize RACF certificates.

You must have authorization to use the RACDCERT command. This command installs and maintains digital certificates, key rings, and digital certificate mappings in RACF.
  1. Create a self-signed certificate in RACF as a placeholder:
    RACDCERT ID(foruser) GENCERT,
     SUBJECTSDN(CN('username') 
               T ('username''s certificate') 
               OU('department') 
               O ('organization') 
               L ('city') 
               SP('state') 
               C ('country'))
     NOTBEFORE(DATE(start) TIME(00:00:00))
     NOTAFTER (DATE(finish) TIME(23:59:59))
     WITHLABEL(self-signed-certlabel)
     SIZE     (1024)
  2. Generate a certificate request, based on the placeholder certificate, to send to your external certificate authority. Use the RACDCERT GENREQ command:
    RACDCERT ID(cics-region-userid) GENREQ(LABEL('label'))
             DSN('request.dataset')
    where label is the placeholder self-signed certificate. RACF saves the certificate request in the data set specified in the DSN parameter.
  3. Send the certificate request to the certificate authority, using a method that the certificate authority accepts.
  4. When you receive the certificate, save it in a new data set.
  5. Optional: If you are using a certificate authority that is not one of the default certificate authorities, for which certificates are already stored in the key database, you must import the certificate authority's certificate into your RACF database. See Importing a certificate from a file as a trusted CA certificate in the z/OS information center.
  6. Replace the self-signed certificate with your new CA-signed certificate:
    RACDCERT ID(cics-region-userid) ADD('response.dataset') TRUST
Create the key ring in the RACF database and add your CA-signed certificate.