Can a copy of the signed certificated from the 3rd party CA after it was signed be used to propagate the certificate to other systems?
Article ID: 196867
Updated On:
Products
Top Secret
Top Secret - LDAP
WEB ADMINISTRATOR FOR TOP SECRET
Issue/Introduction
TSS GENREQed a certificate and sent it to be signed by a 3rd party certificate authority.
Added the signed certificate back to the security file.
Need to add the certificate to another system.
Can the certificate received from the 3rd party be used instead of needing to do a TSS EXPORT of the certificate?
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
When a TSS GENREQ is done the public key is exported to the dataset to be signed by the 3rd party certificate authority.
The private key never leaves the Top Secret Security File, only the public key is sent. So, the certificate you get back from the 3rd party certificate authority after it is signed will only have the public key.
When you get back the certificate after it was signed and add it back to the security file, the public key and private key are re-united. Now you have a complete certificate with the public and private key.
To propagate the complete certificate a TSS EXPORT(acid) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASS(password) should be done to export the complete certificate to a dataset so you can send it to the other system.
Since the certificate you get back from the 3rd party certificate authority only contains a public key, you dont have the complete certificate. Adding this incomplete version of the certificate to another system will not work, because its incomplete and only half of the certificate.
This is why a TSS EXPORT of the certificate must be done to copy the complete certificate to other systems.
The private key never leaves the Top Secret Security File, only the public key is sent. So, the certificate you get back from the 3rd party certificate authority after it is signed will only have the public key.
When you get back the certificate after it was signed and add it back to the security file, the public key and private key are re-united. Now you have a complete certificate with the public and private key.
To propagate the complete certificate a TSS EXPORT(acid) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASS(password) should be done to export the complete certificate to a dataset so you can send it to the other system.
Since the certificate you get back from the 3rd party certificate authority only contains a public key, you dont have the complete certificate. Adding this incomplete version of the certificate to another system will not work, because its incomplete and only half of the certificate.
This is why a TSS EXPORT of the certificate must be done to copy the complete certificate to other systems.
Feedback
Yes
No
Powered by
