Migrating XCOM™ Data Transport® for z/OS 12.0 certificates to mainframe security from its current configuration in local USS datasets.
You may use self-signed certificates or those supplied by a Certificate Authority.
They can be stored in a keyring that is maintained by ACF2™, IBM RACF or Top Secret®. The XCOM™ Data Transport® for z/OS server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT].
Please see: Configure the System SSL Configuration File in the XCOM Data Transport for z/OS - 12.0 online documentation. This includes the keyring parameters.
The requirement is (and has always been) that the root certificate (cassl.pem and casslkey.pem files) are the same on both partners.
Regarding a managed PKI infrastructure, the way certificate handling works today, you MUST have your certificates either
Making calls to retrieve certificates is not a function of XCOM. Locating and loading of certificates is done by either OpenSSL or IBM's System SSL - depending on which you are using.
That said, there is no ability nor configuration for XCOM to use certificates in any manner other than what is currently documented.