Steps to create a certificate, send it to a third party CA and then add it to a keyring.
Release : 16.0
Component : CA Top Secret for z/OS
Commands to set up a keyring using a third party signed certificate:
1) Generate a Certificate:
TSS GENCERT(acid) DIGICERT(certU) SUBJECTN('o="company" CN=" selfsigned cert" OU="department" C="US" ')
**Plug in your information in the lower case values.
**If you do not use the LABLCERT field then the certificate label will default to the DIGICERT name. This is the best thing to do because it avoids the possibility of specifying the digicert name when the LABLNAME should be specified in application parmfile data. There may be applications that will tell you to make the certificate label something specific. Follow the application documentation.
2) Create a CSR(Certificate Signing Request). This puts the certificate in a dataset in PKCS#10 format. PKCS#10 does not contain the private key:
TSS GENREQ(acid) DIGICERT(certU) DCDSN('unsigned.cert')
**Note: The dataset cannot be preallocated.
***CAUTION NOTE*** Do not delete the original certU. It is holding the private key. If you delete the original certificate before pairing the keys (step 5) then the private key will be forever gone.
3) Send the certificate in the dataset to the Certificate Authority to be signed.
4) Receive the signed certificate from the CA(Certificate Authority) and put it into a dataset.
5) Add the certificate back to the owning acid with a slightly different name. It is good practice to give the certificates names ending in U for unsigned and S for signed:
TSS ADD(acid) DIGICERT(certS) DCDSN('signed.cert')
**Note: You may receive a message that the certificate was added with NOTRUST(TSS1573I THE CERTIFICATE <digicertname> SIGNER NOT FOUND. ADDING CERTIFICATE WITH NOTRUST STATUS) . This is because the signing CA certificate is not in the Top Secret Database yet. You need to issue the following:
TSS REPLACE(acid) DIGICERT(certS) TRUST
The above ADD command paired the keys and there is now a signed certificate with a private key.
6) Create the KEYRING:
TSS ADD(acid) KEYRING(keyring)
**If you do not use the LABLRING field then the keyring label will default to the keyring name. There may be applications that will tell you to make the keyring label something specific. Follow the application documentation.
7) Add the certificates to the keyring:
TSS ADD(acid) KEYRING(keyring) RINGDATA(owner,certS) USAGE(PERSONAL) DEFAULT
You will also have to add all the CA certificate(s) to complete the signing chain:
TSS ADD(acid) KEYRING(keyring) RINGDATA(CERTAUTH,ca-cert) USAGE(CERTAUTH)
8) Give the owner of the keyring the following permits to read the keyring and certificates on it:
TSS ADD(dept) IBMFAC(IRR.DIGTCERT) <---(skip if previously done)
TSS PER(acid) IBMFAC(IRR.DIGTCERT.LISTRING)
TSS PER(acid) IBMFAC(IRR.DIGTCERT.LIST)
Note: If the owner of the client/personal certificate is not the owner of the keyring then specify ACCESS(CONTROL) on the PERMIT commands.
9) For the SERVER, a copy of the personal certificate needs to be sent to the client. The following command puts the certificate into a dataset without the private key:
TSS EXPORT(acid) DIGICERT(certS) DCDSN('signed.server.cert')
10) Send the certificate to the client.
11) The client needs to add this certificate to their keyring.
**Note: Many SERVER/CLIENT information is sent two ways. In that case each side would send the other their personal certificate.