Steps for creating certificate bundles

You can use certificate bundles to consolidate all relevant information about an entire trust chain. The types of information that can be included in a certificate bundle are the certificate that was used to create a digital signature, the certificates of certificate authorities in the trust chain, and certificate revocation lists (CRLs).

Perform the following steps to create certificate bundles:

1. Store the CRLs that you are going to include in a certificate bundle in a file or data set.
2. Create a certificate bundle options file. See The z/OS® UNIX certbundle command options file in z/OS Communications Server: IP System Administrator's Commands for more information.
3. For each certificate bundle that you are creating, define a CertBundleOptions statement:
   1. Use the KeyRing parameter to identify the key ring containing any certificates that you want to include.
   2. Use the CertificateChain parameter to specify the label of the certificate that is lowest in any complete trust chain that you want to include (excluding the root CA). The CertificateChain parameter generates a certificate bundle file that contains an optimal set of certificates.
   3. Use the CertificateLabel parameter to specify the label of any individual certificates that you want to include. Use the CertificateLabel parameter only when you need to include fewer certificates than the entire chain.
   4. Use the CRLFile parameter to identify the files that contain any CRLs that you want to include.
   5. Use the BundleFile parameter to identify the name of the certificate bundle file that you are creating.
4. Provide read access to the key rings that are specified in the certificate bundle options file to the user ID under which the certbundle command is issued. See z/OS Security Server RACF Command Language Reference for details concerning access to key rings.
5. Issue the certbundle command, specifying the certificate bundle options file that you just created.