TSS EXPORT of certificate causes private key to be lost:

TSS EXPORT(CERTSITE) - 
DIGICERT(CERTA) - 
DCDSN('CERTA.DATASET ') - 
FORMAT(PKCS7B64) PKCSPASS(CERTAPASS) 

TSS CHKCERT shows the following: 

THIS CERTIFICATE IS REGISTERED WITH CA-TOP SECRET 
DIGICERT = CERTA ACCESSORID = USERA 
ADMIN BY= BY(ADMINA ) SMFID(smfid) ON(09/19/2018) AT(09:05:37) 
LABEL = CERTA
STATUS = TRUST 
SERIAL# = 02 
ISSUER DISTINGUISHED NAME: 
.CN=CICS.O=SQ.C=CA 
SUBJECT DISTINGUISHED NAME: 
CN=CICS.O=XX.
DOMAIN NAME: 
CICS.XX.
IP ADDRESS: 1.2.3.4.5
KEYUSAGE: 
HANDSHAKE 
PRIVATE KEY SIZE = 1024 
PRIVATE KEY TYPE = RSA 
ALGORITHM = sha-1WithRSAEncryption 
NOT BEFORE = 2018/09/19 00:00:00 UTC 
NOT AFTER = 2038/01/30 23:59:59 UTC 
THIS CERTIFICATE IS CONNECTED TO THE FOLLOWING KEYRINGS: 
ACID(USERA ) KEYRING(KEYRCICS) 
TSS0300I CHKCERT FUNCTION SUCCESSFUL 

TSS ADD the certificate from the same exact dataset on another LPAR sharing the same DASD:

TSS ADD(CERTSITE) - 
DIGICERT(CERTA) - 
DCDSN('CERTA.DATASET ') - 
LABLCERT('CERTA') PKCSPASS(CERTAPASS) - 
TRUST 


TSS LIST shows no private keysize indicating that the private key is missing:

TSS LIST(CERTSITE) DATA(ALL) 
ACCESSORID = CERTSITE NAME = SITE CERTIFICATES 
TYPE = DEPT SIZE = 256 BYTES 
CREATED = 01/06/23 00:00 LAST MOD = 19/01/15 14:32 
----------- SEGMENT CERTDATA 
DIGICERT = CERTA ACCESSORID = CERTSITE 
ADMIN BY= BY(ADMINA ) SMFID( smfid) ON(01/15/2019) AT(14:32:41) 
LABEL = CERTA
STATUS = TRUST 
SERIAL# = 02 
ISSUER DISTINGUISHED NAME: 
.CN=CICS.O=XX.
SUBJECT DISTINGUISHED NAME: 
CN=CICS.O=XX.
DOMAIN NAME: 
CICS.QC.CA 
IP ADDRESS: 1.2.3.4.5
KEYUSAGE: 
HANDSHAKE 
PUBLIC KEY SIZE = 1024 
PUBLIC KEY TYPE = RSA 
ALGORITHM = sha-1WithRSAEncryption 
NOT BEFORE = 2018/09/19 00:00:00 UTC 
NOT AFTER = 2038/01/30 23:59:59 UTC 
CERTIFICATE WAS SIGNED BY: ACID(CERTAUTH) DIGICERT(AUTO0009) 


 

Exporting a certificate in to a
PKCS7 package DOES NOT export the private key. One needs to export a PKCS12
package in order to export the private key.

When you exported the certificate in PKCS7 format and CHKCERT the dataset on the
same LPAR (SYSTEM) that the certificate resides on it will show a private key, if the
certificate has one.

If you then CHKCERT the same PKCS7 dataset on a LPAR that does not have the certificate you will not see a private key.

The EXPORT command that needs to be used is:
TSS EXPORT(CERTSITE) - 
DIGICERT(CERTA) - 
DCDSN('CERTA.DATASET ') - 
FORMAT(PKCS12DER) PKCSPASS(CERTAPASS) 

A CHKCERT on the second LPAR should now show the private key.

When adding the certificate on the second LPAR the PKCSPASS(CERTAPASS) needs to be used:
TSS EXPORT(CERTSITE) - 
DIGICERT(CERTA) - 
DCDSN('CERTA.DATASET ') - 
PKCSPASS(CERTAPASS) 

A list of the certificate should now show the private key.