How can I tell that a certificate EXPORTed from the ACF2 database to a z/OS dataset only contains the PUBLIC key and NOT the PRIVATE key before sending to a client?
search cancel

How can I tell that a certificate EXPORTed from the ACF2 database to a z/OS dataset only contains the PUBLIC key and NOT the PRIVATE key before sending to a client?

book

Article ID: 52926

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

How can I tell that a certificate EXPORTed from the ACF2 database to a z/OS dataset only contains the PUBLIC key and NOT the PRIVATE key before sending to a client?

 

 

 

Environment

Release:
Component: ACF2MS

Resolution

Only certificates that are EXPORTED in PKCS12DER or PKCS12B64 formats will include the certificate's Private Key. Export of certificates in formats CERTDER, CERTB64, PKCS7DER and PKCS7B64 will include only the Public Key and not the Private Key. The Public Key is always included for all format options of the EXPORT command.

The EXPORT subcommand is used to export digital certificate stored in the ACF2 INFOSTG database and put it into a z/OS data set. The data set can be used to insert the certificate in another system, or can be downloaded to a personal computer and installed in a web browser. The Private Key from a certificate can only be exported using the PKCS12DER or PKCS12B64 format options which require a PASSWORD. The Public Key is included with all EXPORT formats.

Additional Information

A CHKCERT of a certificate in a z/OS data set will display information about a certificate in a z/OS dataset including information from the CERTDATA Profile record in the ACF2 database. Therefore Private Key information may be displayed from the CERTDATA Profile record even though the CHKCERT command was issued against a z/OS dataset. The key to determining if an EXPORTed certificate includes the Private Key is based on the syntax of the EXPORT command used to generate the certificate in the z/OS dataset, specifically the FORMAT option of the EXPORT command.

If a CHKCERT of a certificate in a z/OS dataset requires a password, that is an indication that the certificate contains a Private Key.
(message: ACF68033 The password is incorrect for the CERTIFICATE will be received if the password is not specified correctly)

If an EXPORT of a certificate is done using the PKCS12DER or PKCS12B64 format options to include the Private Key and a password in not included the EXPORT will fail with the "ACF68061 PKCS #12 Certificate was requested - PASSWORD required" message.

Details on the EXPORT and CHKCERT commands can be found in the ACF2 Security for z/OS Administrator Guide, in Chapter 25: Digital Certificate Support, section "Processing Digital Certificates with ACF Subcommands".