How to extract an ACF2 SHA-2 Certificate into a .p12 file format for IDz.
search cancel

How to extract an ACF2 SHA-2 Certificate into a .p12 file format for IDz.


Article ID: 131914


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC


How to extract a z/OS SHA-2 Certificate from the ACF2 database into a file format with an extension of .p12 
The extract process currently used creates the certificate into a dataset in a text readable format.
Downloading and using this file does not work as it isn't in the required file format.
This file is needed for IDz to communicate with z/OS. 


Component: ACF2MS


The EXPORT subcommand is used in ACF2 to export an X.509 digital certificate from the CA ACF2 database and put it into a z/OS data set.
The data set can be used to insert the certificate in another system.
Conversely, the data set can be downloaded to a personal computer and installed in a web browser.
If you send the exported certificate to others that receive messages from you signed with your private key,
they can use the public key in the exported certificate to validate those messages.
They cannot forge messages from you because they do not have your private key.
Your public/private key pair can be exported using the PKCS12DER or PKCS12B64 format options.
Using these options generates a PKCS #12 certificate package containing the user certificate, its private key, and all
Certificate-Authority certificates necessary to complete the chain of certificates from user certificate to root CA certificate.
To extract certificates into the .p12 format there are two options DER-encoded PKCS#12 certificate package or
DER-encoded then base-64 encoded PKCS #12 certificate package.

For DER-encoded then base-64 encoded PKCS #12 certificate package the format of the command is:

EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12B64) PASSWORD(xxxxxxxx)

For DER-encoded PKCS#12 certificate package the format is:

EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12DER) PASSWORD(xxxxxxxx)

IDz requires FORMAT(PKCS12DER) - which is not in a text readable format