Managing certificates for AT-TLS

Internal security requires creating or obtaining an X.509 certificate and connecting it to a keyring. You can customize these command templates and use them to create the certificates. For background, see Configuring RACF and Authentication via client digital certificates.

Creating a CA certificate

RACDCERT CERTAUTH GENCERT +
SUBJECTSDN(CN(<ca_cert_name>) +
OU(<organization_unit>) +
O(<organization>) +
L(<location>) SP(<state>) C(<country_code>)) +
KEYUSAGE(CERTSIGN) +
WITHLABEL(<ca_cert_label>) +
NOTAFTER(DATE(<yyyy/mm/dd>)) +
SIZE(2048)

Creating a certificate signed by certificate authority

RACDCERT ID(<server_owner_id>) GENCERT +
SUBJECTSDN(CN(<cert_name>) +
OU(<organization_unit>) +
O(<organization>) +
L(<location>) SP(<state>) C(<country_code>)) +
KEYUSAGE(HANDSHAKE) +
WITHLABEL(<cert_label>) +
NOTAFTER(DATE(<yyyy/mm/dd>)) +
SIZE(2048) +
SIGNWITH(CERTAUTH LABEL(<ca_cert_label>))

Creating a keyring

RACDCERT ID(<server_owner_id>) ADDRING(<ring_name>)

Connecting certificates to the keyring

RACDCERT ID(<server_owner_id>) CONNECT(ID(<server_owner_id>) LABEL(<cert_label>) RING(<ring_name>) DEFAULT)

RACDCERT ID(<server_owner_id>) CONNECT(CERTAUTH LABEL(<ca_cert_label>) RING(<ring_name>))

Refreshing profiles

The changes take effect when you refresh the certificate profiles.

SETROPTS RACLIST(DIGTRING,DIGTCERT) REFRESH