Generate Certificates with Extended Key Usage Extension
search cancel

Generate Certificates with Extended Key Usage Extension

book

Article ID: 248368

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Alert Central requires the keypair certificate to have Extended Key Usage Extension with Client Authentication flag.

Is there a way to add such extension to a private key certificate via Top Secret?

Environment

Release : 16.0

Component :

Resolution

Top Secret cannot generate a certificate with Extended Key Usage Extension.

  • Must use an external certificate utility that supports generating certificates with Extended Key Usage Extensions and the Client Authentication Flag.
  • Then, add the certificate to the Top Secret Security file.

1. Generate key pair certificate using a 3rd party certificate utility such as openssl and have it signed by your 3rd Party Certificate Authority.

2. Download the signed certificate files from your 3rd Party Certificate Authority such as

  • Digitcert.com
  • GoDaddy
  • Symantec..etc..
  • as a PKCS12 DER encoded or PKCS12 BASE64 encoded digital certificate package.

3. Transfer/FTP the certificate to a variable blocked DSORG=PS mainframe dataset

  • PKCS12 DER encoded certificate packages should be transferred in BINARY
  • PKCS12 BASE64 encoded certificate packages should be transferred in ASCII

4. Add client certificate and it's 3rd Party signing certificates to Top Secret Security File

  • TSS ADD(CERTSITE) DIGICERT(ABCCERTS) LABLCERT(ABCCERTS) DCDSN('ABCCERTS.CERT') TRUST PKCSPASS(password) 
  • The 3rd Party Signing Certificates will be added to the security file automatically with a DIGICERT name of AUTOnnnn, if it is not already present on the Top Secret Security File.

5. Find the auto assigned 3rd Party Root DIGICERT names

    TSS LIST(CERTSITE) DIGICERT(ABCCERTS) CHAIN

    to determine the auto assigned DIGICERT AUTOnnnn name(s)

6. Create keyring

TSS ADD(ABCSRVR) KEYRING(ABCRING)

7. Add certificate and 3rd party signers to the keyring

TSS ADD(ABCSRVR) KEYRING(ABCRING) RINGDATA(CERTSITE,ABCCERTS) USAGE(PERSONAL) DEFAULT
TSS ADD(ABCSRVR) KEYRING(ABCRING) RINGDATA(CERTAUTH,AUTOnnnn) USAGE(CERTAUTH) <---repeat if more than one 3rd party certificate in the root chain.

8. Authorize the started task acid to use digital certificates

TSS PERMIT(ABCSRVR) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(CONTROL)

 

 

 

 

Powered by Wolken Software