How to extract an ACF2 SHA-2 Certificate into a .p12 file format for IDz.
Article ID: 131914
Updated On: 10-17-2023
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
How to extract a z/OS SHA-2 Certificate from the ACF2 database into a file format with an extension of .p12
The extract process currently used creates the certificate into a dataset in a text readable format.
Downloading and using this file does not work as it isn't in the required file format.
This file is needed for IDz to communicate with z/OS.
The extract process currently used creates the certificate into a dataset in a text readable format.
Downloading and using this file does not work as it isn't in the required file format.
This file is needed for IDz to communicate with z/OS.
Environment
Release:
Component: ACF2MS
Component: ACF2MS
Resolution
The EXPORT subcommand is used in ACF2 to export an X.509 digital certificate from the CA ACF2 database and put it into a z/OS data set.
The data set can be used to insert the certificate in another system.
Conversely, the data set can be downloaded to a personal computer and installed in a web browser.
If you send the exported certificate to others that receive messages from you signed with your private key,
they can use the public key in the exported certificate to validate those messages.
They cannot forge messages from you because they do not have your private key.
Your public/private key pair can be exported using the PKCS12DER or PKCS12B64 format options.
Using these options generates a PKCS #12 certificate package containing the user certificate, its private key, and all
Certificate-Authority certificates necessary to complete the chain of certificates from user certificate to root CA certificate.
To extract certificates into the .p12 format there are two options DER-encoded PKCS#12 certificate package or
DER-encoded then base-64 encoded PKCS #12 certificate package.
For DER-encoded then base-64 encoded PKCS #12 certificate package the format of the command is:
ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12B64) PASSWORD(xxxxxxxx)
END
For DER-encoded PKCS#12 certificate package the format is:
ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12DER) PASSWORD(xxxxxxxx)
END
IDz requires FORMAT(PKCS12DER) - which is not in a text readable format
The data set can be used to insert the certificate in another system.
Conversely, the data set can be downloaded to a personal computer and installed in a web browser.
If you send the exported certificate to others that receive messages from you signed with your private key,
they can use the public key in the exported certificate to validate those messages.
They cannot forge messages from you because they do not have your private key.
Your public/private key pair can be exported using the PKCS12DER or PKCS12B64 format options.
Using these options generates a PKCS #12 certificate package containing the user certificate, its private key, and all
Certificate-Authority certificates necessary to complete the chain of certificates from user certificate to root CA certificate.
To extract certificates into the .p12 format there are two options DER-encoded PKCS#12 certificate package or
DER-encoded then base-64 encoded PKCS #12 certificate package.
For DER-encoded then base-64 encoded PKCS #12 certificate package the format of the command is:
ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12B64) PASSWORD(xxxxxxxx)
END
For DER-encoded PKCS#12 certificate package the format is:
ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12DER) PASSWORD(xxxxxxxx)
END
IDz requires FORMAT(PKCS12DER) - which is not in a text readable format
Feedback
Was this article helpful?
Yes
No
Powered by
