You can use certificate bundles to consolidate all relevant
information about an entire trust chain. The types of information
that can be included in a certificate bundle are the certificate that
was used to create a digital signature, the certificates of certificate
authorities in the trust chain, and certificate revocation lists (CRLs).
Before you begin
Obtain from the certificate authority any certificate revocation
lists (CRLs) that you want to put in a certificate bundle.
Procedure
Perform the following steps to create certificate bundles:
- Store the CRLs that you are going to include in a certificate
bundle in a file or data set.
- Create a certificate bundle options file. See The z/OS® UNIX certbundle command options
file in z/OS Communications Server: IP System Administrator's
Commands for more information.
- For each certificate bundle that you are creating, define
a CertBundleOptions statement:
- Use the KeyRing parameter to identify the key ring containing
any certificates that you want to include.
- Use the CertificateChain parameter to specify the label
of the certificate that is lowest in any complete trust chain that
you want to include (excluding the root CA). The CertificateChain
parameter generates a certificate bundle file that contains an optimal
set of certificates.
- Use the CertificateLabel parameter to specify the label
of any individual certificates that you want to include. Use the CertificateLabel
parameter only when you need to include fewer certificates than the
entire chain.
- Use the CRLFile parameter to identify the files that
contain any CRLs that you want to include.
- Use the BundleFile parameter to identify the name of
the certificate bundle file that you are creating.
- Provide read access to the key rings that are specified
in the certificate bundle options file to the user ID under which
the certbundle command is issued. See z/OS Security Server RACF Command Language Reference for details concerning access to key rings.
- Issue the certbundle command, specifying
the certificate bundle options file that you just created.