What is the best way to export our personal certificate with its private key and signing chain for the certificates to deploy to the other side for use in an SSL/TLS connection? 

When deploying certificates for use in a SSL connection the ACF2, the EXPORT subcommand can be used to export an X.509 digital certificate from the ACF2 database and put it into a z/OS data set.  If the private key and signing chain is desired, then the private key can be exported using the PKCS12DER or PKCS12B64 format options. Using these options will generate a PKCS #12 certificate package containing the user certificate, its private key, and all certificate-authority certificates necessary to complete the chain of certificates from user certificate to root certificate-authority certificate. By default the EXPORT sub-command will not include the private key unless the PKCS12DER or PKCS12B64 format options with the PASSWORD option is specified. 

Sample command:

EXPORT USER001.cert DSNAME('sample.dsn.name') FORMAT(PKCS12B64) PASSWORD(password)

• The PASSWORD option is required with the PKCS12DER or PKCS12B64 format options, however if only the PASSWORD option is specified the format will default to PKCS12B64.
• For the TSO, ACF EXPORT command if the PASSWORD is not specified the private key of the digital certificate will not be exported.
  
  
• With client-certificate authentication, the private key never leaves the client and doesn't get deployed to the server. When setting up certificates for an application to be used for a TLS connection for Server Authentication, the server side's Personal Server Certificate does not need to be deployed to the Client side, only the CERTAUTH signing certificate or the signing certificate chain needs to be deployed to the Client side. 

Additional information regarding the EXPORT subcommand can be found in ACF2 Documentation section EXPORT Subcommand