ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Can a copy of the signed certificated from the 3rd party CA after it was signed be used to propagate the certificate to other systems?


Article ID: 196867


Updated On:




TSS GENREQed a certificate and sent it to be signed by a 3rd party certificate authority.

Added the signed certificate back to the security file.

Need to add the certificate to another system.

Can the certificate received from the 3rd party be used instead of needing to do a TSS EXPORT of the certificate?


Release : 16.0

Component : CA Top Secret for z/OS


When a TSS GENREQ is done the public key is exported to the dataset to be signed by the 3rd party certificate authority.

The private key never leaves the Top Secret Security File, only the public key is sent. So, the certificate you get back from the 3rd party certificate authority after it is signed will only have the public key.

When you get back the certificate after it was signed and add it back to the security file, the public key and private key are re-united. Now you have a complete certificate with the public and private key.

To propagate the complete certificate a TSS EXPORT(acid) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASS(password) should be done to export the complete certificate to a dataset so you can send it to the other system.

Since the certificate you get back from the 3rd party certificate authority only contains a public key, you dont have the complete certificate. Adding this incomplete version of the certificate to another system will not work, because its incomplete and only half of the certificate.

This is why a TSS EXPORT of the certificate must be done to copy the complete certificate to other systems.