How to add a client certificate and root certificate pair to CA Top Secret Security file and then to a keyring.
The certificates are already in datasets. The client certificate is password protected.

Example:
The following datasets contain the certificates:
ROOT.PUBLIC.CERTS.PEM (contains the root cert)
CLIENT.PUBLIC.CERTS.P12 (contains the client cert and password protected ‘mandolin’)

1. ADD the CERTIFICATES to the SECURITY FILE.
TSS ADD(CERTAUTH) DIGICERT(ROOT1) DCDSN(ROOT.PUBLIC.CERTS.PEM) TRUST
TSS ADD(CERTSITE) DIGICERT(CLIENT1) DCDSN(CLIENT.PUBLIC.CERTS.P12) PKCSPASS(mandolin) TRUST

2. Create keyrings for users that need them:
TSS ADD(USERA) KEYRING(USERRING)
TSS ADD(USERB) KEYRING(USERRING)
TSS ADD(USERC) KEYRING(USERRING)

3. Connect the root and personal certificates to the keyrings of the users:
TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT   
TSS ADD(USERB) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)   
TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTSITE,CLIENT1) USAGE(PERSONAL) DEFAULT   
TSS ADD(USERA) KEYRING(USERRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)   

4. Authorize the users for digital certificates:
TSS PER(USERA) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
TSS PER(USERB) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)
Without the permission, users will not be authorized to use digital certificates.

5. Make sure when specifying the keyring to the application that the LABLRING is used and that it matches the LABLRING exactly.  Digicert and keyring names and Labels are case sensitive.