SAFCRRPT Certificate Utility queries
Article ID: 144320
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
Does ACF2 generate a report containing certificate information in XML or JSON file format? Can the SAFCRRPT utility accomplish this?
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
Currently, there isn't a mechanism that produces a report containing certificate information in XML or JSON format.
The SAFCRRPT report generates data that can be captured into a dataset, via the SYSPRINT DD statement. However, the datasets will have to be converted to XML or JSON format using another tool.
Using the Export command, a certificate can be exported into a dataset and then sent/FTP'd to another environment (such as a PC), and then imported. This would require processing each certificate one at a time. The ACF2 EXPORT formats are DER & B64, which are both widely accepted:
Format(CERTDER)
Indicates that the exported certificate should be encoded using the X.509 Distinguished Encoding Rules (DER). This is the standard form of an X.509 certificate. It is a binary file, so if it is being transferred using FTP, BINARY or IMAGE mode must be used.
Format(CERTB64)
Indicates that the exported certificate should be encoded using base-64 encoding. This encoding is applied to the standard X.509 certificate to make it possible to ship the certificate through systems, such as E-mail systems, that cannot handle binary files. This is a text file, so if it is being transferred using FTP, ASCII or TEXT mode must be used. Format(CERTB64) is the default if no format is specified.
Format(PKCS12DER)
Specifies a DER-encoded PKCS#12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format PKCS12DER must be used if you need to import a PKCS#12 certificate package on Windows, since Windows cannot directly import a PKCS12B64 format PKCS#12 package.
Format(PKCS12B64)
Specifies a DER-encoded then base-64 encoded PKCS #12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format (PKCS12B64) is the default if a password has been specified but no format is specified.
Format(PKCS7DER)
Specifies a DER encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.
Format(PKCS7B64)
Specifies a base-64 encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.
The SAFCRRPT report generates data that can be captured into a dataset, via the SYSPRINT DD statement. However, the datasets will have to be converted to XML or JSON format using another tool.
Using the Export command, a certificate can be exported into a dataset and then sent/FTP'd to another environment (such as a PC), and then imported. This would require processing each certificate one at a time. The ACF2 EXPORT formats are DER & B64, which are both widely accepted:
Format(CERTDER)
Indicates that the exported certificate should be encoded using the X.509 Distinguished Encoding Rules (DER). This is the standard form of an X.509 certificate. It is a binary file, so if it is being transferred using FTP, BINARY or IMAGE mode must be used.
Format(CERTB64)
Indicates that the exported certificate should be encoded using base-64 encoding. This encoding is applied to the standard X.509 certificate to make it possible to ship the certificate through systems, such as E-mail systems, that cannot handle binary files. This is a text file, so if it is being transferred using FTP, ASCII or TEXT mode must be used. Format(CERTB64) is the default if no format is specified.
Format(PKCS12DER)
Specifies a DER-encoded PKCS#12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format PKCS12DER must be used if you need to import a PKCS#12 certificate package on Windows, since Windows cannot directly import a PKCS12B64 format PKCS#12 package.
Format(PKCS12B64)
Specifies a DER-encoded then base-64 encoded PKCS #12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format (PKCS12B64) is the default if a password has been specified but no format is specified.
Format(PKCS7DER)
Specifies a DER encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.
Format(PKCS7B64)
Specifies a base-64 encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.
Feedback
Yes
No
Powered by
