In addition to supporting profiles for digital certificates, the RACF database supports the following classes of certificates (in the OCSF Framework, this is known as "semantic information"). Users who have the proper authority can issue a series of RACDCERT commands to create the certificate and key pairs and populate the RACF database with this information:

• User (server) certificates with optional private keys stored under the owning user ID
• Certificate Authorities (no private keys) that are stored at the system level under a unique user ID
• Site certificates (no private keys) that are stored at the system level under another unique user ID

In addition, RACF supports the concept of "user-defined key rings" (in the OCSF Framework, these are known as "data stores"). A key ring is stored under the owning user ID and may contain any of the preceding types of certificates. Entries in a key ring point to certificate records and contain additional attributes, such as:

• Default certificate/key
• Ring usage for the certificate/key

  For example, the user key may be marked as a trusted root. The certificate record would still exist at the user level but it would be treated as a certificate authority for this key ring only.

• Private key type

  This may be an Integrated Cryptographic Services Facility (ICSF) key token label or a non-ICSF key

• Private key bit size