How to extract an ACF2 SHA-2 Certificate into a .p12 file format for IDz.

book

Article ID: 131914

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

How to extract a z/OS SHA-2 Certificate from the ACF2 database into a file format with an extension of .p12 
The extract process currently used creates the certificate into a dataset in a text readable format.
Downloading and using this file does not work as it isn't in the required file format.
This file is needed for IDz to communicate with z/OS. 

Environment

Release:
Component: ACF2MS

Resolution

The EXPORT subcommand is used in ACF2 to export an X.509 digital certificate from the CA ACF2 database and put it into a z/OS data set.
The data set can be used to insert the certificate in another system.
Conversely, the data set can be downloaded to a personal computer and installed in a web browser.
If you send the exported certificate to others that receive messages from you signed with your private key,
they can use the public key in the exported certificate to validate those messages.
They cannot forge messages from you because they do not have your private key.
Your public/private key pair can be exported using the PKCS12DER or PKCS12B64 format options.
Using these options generates a PKCS #12 certificate package containing the user certificate, its private key, and all
Certificate-Authority certificates necessary to complete the chain of certificates from user certificate to root CA certificate.
To extract certificates into the .p12 format there are two options DER-encoded PKCS#12 certificate package or
DER-encoded then base-64 encoded PKCS #12 certificate package.

For DER-encoded then base-64 encoded PKCS #12 certificate package the format of the command is:

ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12B64) PASSWORD(xxxxxxxx)
END

For DER-encoded PKCS#12 certificate package the format is:

ACF
EXPORT {logonid|logonid.suffix} DSNAME('dsname.P12') FORMAT(PKCS12DER) PASSWORD(xxxxxxxx)
END

IDz requires FORMAT(PKCS12DER) - which is not in a text readable format