SAFCRRPT Certificate Utility queries

book

Article ID: 144320

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Does ACF2 generate a report containing certificate information in XML or JSON file format? Can the SAFCRRPT utility accomplish this?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Currently, there isn't a mechanism that produces a report containing certificate information in XML or JSON format.

The SAFCRRPT report generates data that can be captured into a dataset, via the SYSPRINT DD statement. However, the datasets will have to be converted to XML or JSON format using another tool. 

Using the Export command, a certificate can be exported into a dataset and then sent/FTP'd to another environment (such as a PC), and then imported. This would require processing each certificate one at a time. The ACF2 EXPORT formats are DER & B64, which are both widely accepted:

Format(CERTDER)
Indicates that the exported certificate should be encoded using the X.509 Distinguished Encoding Rules (DER). This is the standard form of an X.509 certificate. It is a binary file, so if it is being transferred using FTP, BINARY or IMAGE mode must be used.

Format(CERTB64)
Indicates that the exported certificate should be encoded using base-64 encoding. This encoding is applied to the standard X.509 certificate to make it possible to ship the certificate through systems, such as E-mail systems, that cannot handle binary files. This is a text file, so if it is being transferred using FTP, ASCII or TEXT mode must be used. Format(CERTB64) is the default if no format is specified.

Format(PKCS12DER)
Specifies a DER-encoded PKCS#12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format PKCS12DER must be used if you need to import a PKCS#12 certificate package on Windows, since Windows cannot directly import a PKCS12B64 format PKCS#12 package.

Format(PKCS12B64)
Specifies a DER-encoded then base-64 encoded PKCS #12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format (PKCS12B64) is the default if a password has been specified but no format is specified.

Format(PKCS7DER)
Specifies a DER encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.

Format(PKCS7B64)
Specifies a base-64 encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.