Creating SSL Certificates Using a Certificate Authority

You can use a certificate authority to create SSL certificates.

1. Create a key ring.
   A key ring is the equivalent of a key database. The key ring name must be specified on the GLOBAL SSL_KEY_DBNAME parameter. Therefore, you cannot embed any spaces in the key ring name.
   See the following example of RACF command used to create a key ring:

   RACDCERT ID(mftps) ADDRING(FusionRing)

   This command adds a key ring called FusionRing. This name is case sensitive. When you supply this name to the platform server SSL_KEY_DBNAME parameter, you must use exactly the same name as is used on the ADDRING parameter.

2. Add the certificate authority certificate.
   This certificate usually can be found on a web site, or your security administrator can send it to you. This certificate contains the CA public key and is used to verify the certificates that are signed with the private key of CA. This certificate is typically the same for all users that use CA.
   See the following example of a certificate authority certificate.

   -----BEGIN CERTIFICATE-----                                     
   MIICmTCCAgKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMCWkEx
   IjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoTFFRo
   YXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEcMBoG
   A1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw05NjA4MDEwMDAwMDBaFw0yMDEy
   MzEyMTU5NTlaMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcg
   UFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAV
   BgNVBAsTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBS
   b290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1fZBvjrOsfwzoZvrSlEH8
   1TFhoRPebBZhLZDDE19mYuJ+ougb86EXieZ487dSxXKruBFJPSYttHoCin5qkc5k
   BSz+/tZ4knXyRFBO3CmONEKCPfdu9D06y4yXmjHApfgGJfpA/kS+QbbiilNz7q2H
   LArK3umk74zHKqUyThnkjwIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
   SIb3DQEBBAUAA4GBAIKM4+wZA/TvLItldL/hGf7exH8/ywvMupg+yAVM4h8uf+d8
   phgBi7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnStyhVHFIpKy3nsDO4J
   qrIgEhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIW

   Note: You must save the certificate in a data set with a RECFM of V or VB. If you specify any other RECFM, the certificate is invalid.
   See the following example of RACF command used to add a certificate to the server. The command is listed on multiple lines for clarity purpose.

   RACDCERT CERTAUTH
   ADD(my.certca.dsn)
   WITH(LABEL(‘CertAuth’))

   At this point, the CA certificate has been added to the system.
3. Generate a self-signed certificate for the server.
   Before you can generate a certificate request, you must create a self-signed certificate for the server. This certificate is internal to RACF and contains all the information required to create a certificate request.
   See the following example of RACF command used to create a self-signed certificate for the server. The command is listed on multiple lines for clarity purpose.

   RACDCERT ID(mftps)
   GENCERT 
   SUBJECTSDN(CN(‘domain.name’)
   		OU(‘organization unit’)
   		O(‘Organization’)
   		SP(‘State/Province’)
   		L(‘City or Locality’)
   		C(‘xx’))				xx = 2 byte country name
   WITHLABEL(‘fusionCert’)

   This command has no output. Step 4 uses the certificate created in this step when generating a certificate request.
4. Generate a certificate request.
   To create a certificate, you must present a certificate request to the certificate authority. This step produces a certificate request based on the self-signed certificate that you created in Step 3.
   See the following example of RACF command used to create a certificate request for the server. The command is listed on multiple lines for clarity purpose.

   RACDCERT ID(mftps)
   GENREQ(LABEL(‘fusionCert’))
   DSN(my.cert.req.dsn)

   The output of this certificate request is a data set with a certificate with Base64 encoding. See the following example of a certificate request.

   -----BEGIN NEW CERTIFICATE REQUEST-----                         
   MIIB4TCCAUoCAQAwcTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRQw
   EgYDVQQHEwtHYXJkZW4gQ2l0eTERMA8GA1UEChMIUHJvZ2luZXQxFDASBgNVBAsT
   C0RldmVsb3BtZW50MRAwDgYDVQQDEwdQU1NHUkVHMIGfMA0GCSqGSIb3DQEBAQUA
   A4GNADCBiQKBgQDhiVQR+uODpNC9wPUk8bzBiGumyQfJPEUxVeU9p+nVZVvkFOuG
   V9AOHRqXEkRk8TPG7/iVQfmlT4M6nuBD6kJbtxcVzG5YCuFyhF+xJ7wGkbgenXnW
   7YCxQLLgH8l3Ao0R4f/4GjEJYqHfnL8X0+K0OcAyIzQ2k2o5VP7U9XaVwwIDAQAB
   oDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUFpgJNAq12G5fT+TJ3sLuY2hq
   MYYwDQYJKoZIhvcNAQEFBQADgYEApQOfypfL9nASF8Qe3x9jaiAeAc7zKc/jyIq+
   lvPABJf8pEFPHO2XjYwPKgEqw9cFlskOpGVm05FRUs+tWGlO9Fa6WLhv/uVnBseQ
   I3Ytf7vbG/zqPV5aAQnSOq4HangZdiBIw3jtw0SNA4KeMtaVdv+sQ5YTYsBvUUxg
   3W1Re3R=                                                        
   -----END NEW CERTIFICATE REQUEST-----

   At this point, you must send the certificate file to the certificate authority. The exact procedure depends on your organization and the certificate authority that you use. In some cases, you email the request, and in other cases, you cut and paste the certificate request into a web page.
5. Add the certificate request.
   After the certificate authority processes the certificate, a certificate is created for you. You must save the certificate in a data set with a RECFM of V or VB. If you specify any other RECFM, the certificate is invalid.
   See the following example of a certificate.

   -----BEGIN CERTIFICATE-----                                     
   MIICljCCAf+gAwIBAgIDbhBfMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
   QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
   VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
   GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAxMDgyOTE1Mzg1N1oXDTAx
   MDkxOTE1Mzg1N1owcTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRQw
   EgYDVQQHEwtHYXJkZW4gQ2l0eTERMA8GA1UEChMIUHJvZ2luZXQxFDASBgNVBAsT
   C0RldmVsb3BtZW50MRAwDgYDVQQDEwdQU1NHUkVHMIGfMA0GCSqGSIb3DQEBAQUA
   A4GNADCBiQKBgQDhiVQR+uODpNC9wPUk8bzBiGumyQfJPEUxVeU9p+nVZVvkFOuG
   V9AOHRqXEkRk8TPG7/iVQfmlT4M6nuBD6kJbtxcVzG5YCuFyhF+xJ7wGkbgenXnW
   7YCxQLLgH8l3Ao0R4f/4GjEJYqHfnL8X0+K0OcAyIzQ2k2o5VP7U9XaVwwIDAQAB
   oyUwIzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
   DQEBBAUAA4GBADu1bS4s7f6v6Yfp8DUA7iiTG8X1O/iPQBCOUdg8hT2J/MhM2Uq1
   C1pnnONIS1xFWzTH9fBwd5TzDFbUdqQTbwyBex/BsxQkrfSLsONz6rzDNoraMvdR
   DMcwxaTaT6YqxIs8KBosSlPLIoBNS510KqD6R91/qKSxru58kG63jOel        
   -----END CERTIFICATE-----

   See the following example of RACF command used to add certificate for the server. The command is listed on multiple lines for clarity purpose.

   RACDCERT ID(mftps)
   ADD(my.cert.req.dsn)
   WITH(LABEL(‘fusionCert’))

   At this point, the certificate has been added to the system under user ID mftps.
6. Connect the certificate to the key ring.
   To use the certificate, you must connect it to the key ring.
   See the following example of RACF command used to connect the certificate to the key ring. The command is listed on multiple lines for clarity purpose.

   RACDCERT ID(mftps)
   CONNECT(ID(mftps) 
   LABEL(‘fusionCert’)
   RING(FusionRing)
   DEFAULT)

   Note: The DEFAULT parameter makes this certificate the default certificate for a key ring. You can override this parameter by using the GLOBAL SSL_DNLABEL and SSL_CLIENT_DNLABEL parameters.
7. Connect the CA certificate to the key ring.
   The CA certificate is created in Step 2. You must connect it to the key ring if you want certificates to be authenticated with that CA.
   See the following example of RACF command used to connect the CA certificate to the key ring. The command is listed on multiple lines for clarity purpose.

   RACDCERT ID(mftps)
   CONNECT(certauth 
   LABEL(‘CertAuth’)
   RING(FusionRing))