Building a key ring with certificates using DFH$RING
DFH$RING is a sample REXX program that builds a key ring, creates a signing certificate (certificate authority certificate), creates additional certificates, and adds the certificates to the key ring.
Before you begin
About this task
Procedure
Results
Example
- lastname-Web-Server
- This certificate can be used in the CERTIFICATE attribute of TCPIPSERVICEs with PROTOCOL(HTTP). The distinguished name within the certificate has a common name of webservername, which must be the same as the host name associated with the connection. Web browsers usually check that the common name in the certificate matches the host name of the server from which it is received.
- lastname-IP-CONNECTION
- This certificate can be used for IP interconnectivity (IPIC). It can be used in CERTIFICATE attributes of resource definitions that are required for a CICS region to use IPIC. This sample certificate is for a CICS region to use as a client certificate and as a server certificate during an SSL handshake that occurs when an IPCONN is acquired. It can be used in the CERTIFICATE attribute of an IPCONN definition for a client certificate and the CERTIFICATE attribute of a TCPIPSERVICE definition with PROTOCOL(IPIC) for a server certificate.
- lastname-2048-Certificate
- This certificate can be used for CICS® systems that require high-strength certificates. It can be used in CERTIFICATE attributes of TCPIPSERVICE, IPCONN, and URIMAP definitions, and EXEC CICS WEB OPEN commands.
- lastname-Default-Certificate
- This certificate is marked as the default certificate for the key ring and is the one that is used for all TCPIPSERVICE resources that do not specify a CERTIFICATE attribute. This certificate also contains a common name of webservername.
- Verisign Class 1 Primary CA
- Verisign Class 2 Primary CA
- IBM World Registry CA
- These certificates are required to validate client certificates that you might receive that have been signed by these Certificate Authorities. If you intend to accept client certificates signed by other Certificate Authorities, or certificates that you have created yourself, you will have to add their certificates to the key ring manually, using the RACDCERT CONNECT command. When you add a certificate to the key ring in this way, you must specify USAGE(PERSONAL).