How can I determine a certificate's CA signing chain of certificates?
The TSS CHKCERT command function can be used to displays information for each certificate in the chain of the input data set set.
The administrator must have MISC4(CERTCHEK) or UPDATE access to TSSCMD.CERTUSER.CHKCERT in the CASECAUT resource class.
This command function has the following format:
TSS CHKCERT DCDSN(input_dataset_name)
Specifies the data set in which the digital certificate exists.
(Required if the data set contains a PKCS#12-formatted certificate that is password-protected) Specifies a case-sensitive PKCS
password that can also contain blanks. The passwords associated with PKCS #12 certificates are not viewable. It is the CA Top
Secret administrator's responsibility to keep track of the PKCS #12 password assigned to the digital certificate.
Range: Up to 255 characters
(Optional) Displays information for each certificate in the chain of the input data set and displays the following summary information as applicable:
- Number of certificates in the chain
- Whether the chain is complete or incomplete
- Whether the chain contains expired or non-trusted certificates
- Whether any certificate in the data set is not present in the CA Top Secret database
This example uses the DCDSN keyword to specify a certificate package and information for each certificate in the chain of the input dataset:
TSS CHKCERT DCDSN(reipa02.user2.cert2) CHAIN