When defining URIMAP in CICS Transaction Server (CTS) with a certificate, the following CICS error occurs:

DFHAM4928 E MYCICS 425 Install of URIMAP MY-URIMAP failed because the specified certificate does not have a private key.

The URIMAP definition looks like this:

  DEFINE URIMAP(MY-URIMAP) GROUP(WEBGRP1)
   STATUS(ENABLED) USAGE(CLIENT) SCHEME(HTTPS) PORT(NO)
   HOST(my.website.com) PATH(/service/SOAP/SILOSGW/MYCONSUMER)
   SOCKETCLOSE(0) ANALYZER(NO)
   CIPHERS(050435363738392F303132330A1613100D0915120F0C03060201)
   CERTIFICATE(MYCERT001) AUTHENTICATE(NO) REDIRECTTYPE(NONE)
   DEFINETIME(12/05/23 16:08:07) CHANGETIME(12/05/23 16:08:07)
   CHANGEUSRID(CUSER001) CHANGEAGENT(CSDBATCH) CHANGEAGREL(0670)

In this case, the certificate MYCERT001 must have a PRIVATE key.

For more information see Transport Layer Security

The client sends a CertificateVerify message, which is a signature over the previous handshake messages, using the client certificate's private key. This signature can be verified by using the client certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.

So having a client certificate private key is required for a successful SSL handshake.