Creating a RACF signed personal certificate
RACF® can function as a certificate authority and issue its own CA certificate.
This section uses the term signer certificate to denote a CA certificate issued by RACF.
The private key for the signer certificate must be in the RACF database before you carry out the following procedure:
- Use the following command to generate a personal certificate signed by RACF, using the signer certificate contained in your RACF database:
RACDCERT ID(userid2) GENCERT SUBJECTSDN(CN('common-name') T('title') OU('organizational-unit') O('organization') L('locality') SP('state-or-province') C('country')) WITHLABEL('label-name') SIGNWITH(CERTAUTH LABEL('signer-label'))
- Connect the certificate to your key ring using the following command:
RACDCERT ID(userid1) CONNECT(ID(userid2) LABEL('label-name') RING(ring-name) USAGE(PERSONAL))
- userid1 is the user ID of the channel initiator address space or owner of the shared key ring.
- userid2 is the user ID associated with the certificate and must be the user ID of the
channel initiator address space.
userid1 and userid2 can be the same ID.
- ring-name is the name you gave the key ring in Setting up a key repository on z/OS.
- label-name must be either the value of the IBM® MQ
CERTLABL attribute, if it is set, or the default
ibmWebSphere®MQ
with the name of the queue manager or queue sharing group appended. See Digital certificate labels for details. - signer-label is the label of your own signer certificate.