RACDCERT LISTCHAIN (List certificate chain)
Purpose
Use the RACDCERT LISTCHAIN command to display information about a digital certificate and its issuer chain of certificates in the RACF database.
The specified certificate, identified by the LABEL keyword, may be owned by SITE, CERTAUTH, or a user ID. After finding that certificate, RACF will search its database under the same owning user ID to locate the issuer's certificate. If it is not found, RACF will search under CERTAUTH for the issuer's certificate, and its issuers. A certificate chain is considered incomplete if RACF is unable to follow the chain back to a self-signed 'root' certificate.
- The number of certificates in the displayed chain.
- The chain is complete or incomplete.
- The chain contains any NOTRUST or expired certificates.
- Any common rings to which all certificates in the chain are connected.
Issuing options
As a RACF® TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | No | No. (See rules.) | No. (See rules.) | No |
- The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
- The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.
Authorization required
To issue the RACDCERT LISTCHAIN command, you must have CONTROL access to the IRR.DIGTCERT.LIST resource in the FACILITY class.
If the user does not have CONTROL access to IRR.DIGTCERT.LIST, IRRD101I will be issued.
If any certificate in the chain has the ECC key type, READ access to CSF1PKV, CSF1TRC, CSF1TRD and CSFOWH resources in the CSFSERV class is required.
The RACDCERT LISTCHAIN command can be issued by a special user.
Related commands
- To list digital certificate information, see RACDCERT LIST.
- To list a key ring, see RACDCERT LISTRING.
- To list a token, see RACDCERT LISTTOKEN.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT LISTCHAIN command is:
RACDCERT [ ID(certificate-owner)| SITE | CERTAUTH ] |
|
If you do not specify a RACDCERT function, LIST is the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- LISTCHAIN(LABEL('label-name'))
-
If the user has only one certificate, the LABEL keyword and its associated value can be omitted.
For a description of label-name, see the description of the WITHLABEL keyword for RACDCERT ADD.
Note: If the certificate was created using a previous z/OS release of RACF that did not support certificate labels, the certificate listing will contain the following output: No label assigned
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User CHOI requests the listing of all certificates. |
Known | User CHOI has been given CONTROL access to profile IRR.DIGTCERT.LIST in the FACILITY class. | |
Command | RACDCERT LISTCHAIN(LABEL('samplecert')) | |
Output | See Figure 1. | |
2 | Operation | User CHOI requests the listing of all certificates: There are expired and NOTRUST certificates. |
Known | User CHOI has been given CONTROL access to profile IRR.DIGTCERT.LIST in the FACILITY class. | |
Command | RACDCERT LISTCHAIN(LABEL('samplecert')) | |
Output | See Figure 2. |
Certificate 1:
Digital certificate information for user CHOI:
Label: samplecert
Certificate ID: 2QbmxsPI1smJl4OFmaPy
Status: TRUST
Start Date: 2011/10/20 00:00:00
End Date: 2012/10/20 23:59:59
Serial Number:
>05<
Issuer's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
Subject's AltNames:
IP: 127.0.0.5
EMail: choi at us.ibm.com
Domain: www.ibm.com
Signing Algorithm: sha1RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 1024
Private Key: Yes
PKDS Label: SAMPLECERT
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 2:
Digital certificate information for CERTAUTH:
Label: sampleCA
Certificate ID: 2PabcsPI1smJl4OFmaPx
Status: TRUST
Start Date: 2010/03/22 00:00:00
End Date: 2020/10/22 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048
Private Key: Yes
PKDS Label: SAMPLECA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 3:
Digital certificate information for CERTAUTH:
Label: MasterCA
Certificate ID: 2KbmxsPI1smJl4OFmaPm
Status: TRUST
Start Date: 2008/04/20 00:00:00
End Date: 2038/04/20 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 4096
Private Key: Yes
PKDS Label: MASTERCA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Chain information:
Chain contains 3 certificate(s), chain is complete
Chain contains ring in common: CHOI/testring
Certificate 1:
Digital certificate information for user CHOI:
Label: samplecert
Certificate ID: 2QbmxsPI1smJl4OFmaPy
Status: TRUST
Start Date: 2010/10/20 00:00:00
End Date: 2011/10/20 23:59:59
Serial Number:
>05<
Issuer's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
Subject's AltNames:
IP: 127.0.0.5
EMail: choi at us.ibm.com
Domain: www.ibm.com
Signing Algorithm: sha1RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 1024
Private Key: Yes
PKDS Label: SAMPLECERT
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 2:
Digital certificate information for CERTAUTH:
Label: sampleCA
Certificate ID: 2PabcsPI1smJl4OFmaPx
Status: NOTRUST
Start Date: 2010/03/22 00:00:00
End Date: 2020/10/22 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048
Private Key: Yes
PKDS Label: SAMPLECA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 3:
Digital certificate information for CERTAUTH:
Label: MasterCA
Certificate ID: 2KbmxsPI1smJl4OFmaPm
Status: TRUST
Start Date: 2008/04/20 00:00:00
End Date: 2038/04/20 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 4096
Private Key: Yes
PKDS Label: MASTERCA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Chain information:
Chain contains 3 certificate(s), chain is complete
Chain contains ring in common: CHOI/testring
Chain contains NOTRUST certificate(s)
Chain contains expired certificate(s)