Steps for generating an X509 digital certificate and having it signed by a certificate authority

The IKE daemon and NSS server require the ability to retrieve digital certificates associated with a particular identity from a RACF® key ring, and to perform operations with the associated private key.

Before you begin

Assume that you have an X509 digital certificate that has the X500 distinguished name CN=SYSTEMA STACK1,OU=Inventory,O=IBM,C=US and the domain name ibm.com. The certificate identifies the local IKE daemon that executes on z/OS® with the user ID IKED.
Tip: If you are creating a certificate for a stack configured to use the certificate service from an NSS server, issue these commands against the RACF database for the system on which the NSS server runs. Modify the user ID in the examples to be the user ID that is running the NSS server and modify the key ring to be the key ring that is configured in the NSS server's configuration file.

Procedure

Perform the following steps to install the X509 digital certificate:

  1. Generate a self-signed certificate for the server: 
    RACDCERT ID(IKED) GENCERT SUBJECTSDN(CN('SYSTEMA STACK1') OU('Inventory') O('IBM') C('US'))
                  WITHLABEL('SYSTEMA STACK1') ALTNAME(DOMAIN('ibm.com'))
  2. Take one of the following actions:
    • RACF supplies certificates for many commercial certificate authorities. If you are using one of these supplied certificate authority certificates, follow the steps for supplied digital certificates in z/OS Security Server RACF Security Administrator's Guide.
    • If the certificate authority you are using is not one of the supplied certificate authorities, obtain the root certificate of the certificate authority that is to sign the certificate of the IKED, and place it in an MVS™ data set (for example, USER1.EXTCA1.CERT). Add it to the RACF database as follows: 
      RACDCERT ID(IKED) ADD('USER1.EXTCA1.CERT') WITHLABEL('External CA') CERTAUTH
  3. Create a certificate request to send to the chosen certificate authority. The certificate request that you create is based on the certificate that was created in step 1. Place this certificate into a data set called USER1.SYSTEMA.STACK1.GENREQ as follows: 
    RACDCERT ID(IKED) GENREQ(LABEL('SYSTEMA STACK1')) DSN('USER1.SYSTEMA.STACK1.GENREQ')
  4. Send the certificate request to the certificate authority. The certificate request is in base 64-encoded text. Typically, the request is sent to the certificate authority by cutting and pasting the certificate request into an email that is sent to the certificate authority.

    The certificate authority validates the certificate. If the certificate is approved by the certificate authority, it is signed by the certificate authority and returned to the requester.

  5. Receive the returned certificate into a data set (for example, USER1.SYSTEMA.STACK1.CERT). The returned certificate is in base 64-encoded text. This can be done by cutting and pasting, with FTP, or with another technique.
  6. Replace the self-signed certificate with the certificate that is signed by the certificate authority. The certificate is replaced only if the user ID that is specified as the ID value on the RACDCERT ADD command is the same user ID that was specified when the certificate was created. Ensure that the user ID is the same. Otherwise, the certificate is added, rather than replacing the self-signed certificate, and does not contain the certificate's private key. 
    RACDCERT ID(IKED) ADD('USER1.SYSTEMA.STACK1.CERT') WITHLABEL('SYSTEMA STACK1')
  7. Connect the certificate to an existing key ring: 
    RACDCERT ID(IKED) CONNECT(LABEL('SYSTEMA STACK1') RING(ikeyring) USAGE(PERSONAL))
  8. Connect the certificate authority's certificate to the key ring: 
    RACDCERT ID(IKED) CONNECT(CERTAUTH LABEL('External CA') RING(ikeyring) USAGE(CERTAUTH))
    This completes the certificate hierarchy from root to SYSTEMA STACK1.
  9. Add the following statement to the IKE daemon configuration file, iked.conf, or the NSS server configuration file, nssd.conf: 
    Keyring   IKED/ikeyring

Results

You know you are done when the X509 digital certificate is available, and is mapped to the X500DN identity CN=SYSTEMA STACK1,OU=Inventory,O=IBM,C=US from the certificate's subject name, and the FQDN identity ibm.com from the certificate's alternate subject name.

You can verify that the certificates that you have created are connected to the key ring associated with user ID IKED by using the RACDCERT command and examining the output of the Ring Associations field. Verify that the certificate authority was created and added to the IKED/ikeyring as follows:

RACDCERT CERTAUTH LIST(LABEL('External CA')

Verify that the personal certificate for the IKE daemon was created and added to the IKED/ikeyring as follows:

RACDCERT ID(IKED) LIST(LABEL('SYSTEMA STACK1'))
Requirement: If the certificates connected to the key ring are for an NSS client, you must create a SERVAUTH profile for each certificate. You must give the user ID associated with the NSS client access to this profile. Create this profile in the RACF database for the system on which the NSS server runs. For details about these profiles, see Steps for authorizing resources for NSS.
Parent topic: IPSec certificate management