Question:
How can I determine what certificate signed a specific certificate stored in the ACF2 database?
Answer:
The SAFRPTCR utility can be used to determine the actual signer of a certificate.
The following sample SAFRPTCR JCL shows how to display the the signing certificate of
the PERSONAL.CERT certificate.
//SAFRPTCR EXEC PGM=SAFCRRPT,REGION=0M,
// PARM='TITLE(CERTIFICATE UTILITY REPORT)'
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
RECORDID(PERSONAL.CERT) DETAIL EXT
//*
Sample SAFRPTCR output:
CA Mainframe Security - CERTIFICATE UTILITY REPORT - PAGE 1
DATE 04/29/16 (16.120) TIME 12.56
Report Parameters:
TITLE(CERTIFICATE UTILITY REPORT) RECORDID(PERSONAL.CERT) DETAIL EXT
Record id - PERSONAL.CERT Signed by: CERTAUTH.INTER3
Label PersonalCert
Serial # - 00
Issuer DN - CN=IntermediateCert.OU=MyCo.C=US
Subject DN - CN=PersonalCert.OU=MyCo.C=US
Active Date 2016/04/29
Expire Date 2017/04/29
Pvt Key Size 1024 RSA
Algorithm sha-1WithRSAEncryption
Trusted Yes
Cert Length 026C
Extensions Netscape Comment
Generated by CA SAF Certificate Management Facility
X509v3 Authority Key Identifier
C60F5F4B3576226EC47DC6864E74D87C731218B7
X509v3 Subject Key Identifier
B49EE20C58037DDBD32D4273E0236F77EE0DA8BD
Public Key 0000 30819F30 0D06092A 864886F7 0D010101
0010 05000381 8D003081 89028181 00A96462
0020 4A1BBE09 6637BA06 59F7AA92 34DCBB72
0030 F63F4519 F8F062C8 245F92A3 D162A548
0040 1593258E F0EB7D17 701DF95A 996A26D5
0050 02422DD2 6C11DF04 2D134136 A7B3E9BC
0060 D5FA2D16 8A9DB84D 3483F612 4E7A5AC2
0070 C1C5B919 69F20DBC DA425783 36BC85E6
0080 B5E4DBAE 6A87BF75 09066AD8 E3F38E7A
0090 A58B59C4 1EBAAC38 2693866A 0B020301
00A0 0001