How to add a client certificate and root certificate pair to CA Top Secret Security file and then to a keyring?
The certificates are already in datasets. The client certificate is password protected.

Example:
The following datasets contain the certs:
ROOT.PUBLIC.CERTS.PEM (contains the root cert)
CLIENT.PUBLIC.CERTS.P12 (contains the client cert and password protected ‘mandolin’)

1. ADD CERTS THE SECURITY FILE.
TSS ADD(CERTAUTH) DIGICERT(ROOT1) DCDSN(ROOT.PUBLIC.CERTS.PEM) TRUST
TSS ADD(CERTSITE) DIGICERT(CLIENT1) DCDSN(CLIENT.PUBLIC.CERTS.P12) PKCSPASS(mandolin) TRUST

2. Create keyrings for users that need them:
TSS ADD(USERA) KEYRING(USERRING)
TSS ADD(USERB) KEYRING(USERRING)
TSS ADD(USERC) KEYRING(USERRING)

3. Connect root and personal certs to the keyring of the user:
TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT   
TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)   
TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT   
TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)   

4. Authorize the users for digital certificates:
TSS PER(USERA) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
TSS PER(USERB) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
Without the permission, users will not be authorized to use digital certificates.

5. Make sure when specifying the keyring name to the application it matches the keyring name exactly. The digicert name and keyring name are case sensitive.