Is there a method to test a certificate in ACF2? 
search cancel

Is there a method to test a certificate in ACF2? 

book

Article ID: 227084

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

ACF2 can be used for testing or verifying some aspects of Keyring and certificates.
As far as testing a certificate, 'testing' can include the following:

  1. Verifying the signing chain of a personal certificate
  2. Verifying that the correct Keyring and certificates are being returned to the client or server task
  3. Verifying that the certificates can be used in an SSL connection

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

ACF2 just asks as a repository to store Keyrings and certificates, when a server or client task issues a r_datalib call requesting the Keyring and certificates ACF2 will respond to the calls and return the Keyring and certificates.

As far as testing a certificate, 'testing' can include the following:

  1. Verifying the signing chain of a personal certificate
  2. Verifying that the correct Keyring and certificates are being returned to the client or server task
  3. Verifying that the certificates can be used in an SSL connection

The ACF2 CHKCERT CHAIN command can be used to test/verify 1. above, a site would need to review the certificates are 'TRUST' and that the validity dates are valid.

The ACF2 OMVS SECTRACE can be used to test/verify 2. above to trace the Keyring and certificates that are returned to the client or server task when the task starts and issues the r_datalib calls to request the Keyring and certificates. A site would need to review the trace entries to verify that the proper Keyring and certificates are being returned and that the personal certificate contains a private key.

ACF2 cannot be used to test/verify 3. above because after ACF2 returns the Keyring and certificates ACF2 involvement in the SSL connection process is done, and it is the client or server application that would be involved in any test or verification as to whether the certificates can be authenticated by the client or server.