Import root CA certificate of client certificate chain

The root CA certificate of the client certificate chain must be present as a CERTAUTH certificate in the z/OS® server keyring.

Before you begin

How to obtain the root CA certificate varies by vendor and application. If you do not already have the client CA trusted root certificate, you might be able to export it to a file from the client Windows system:
  1. Select Internet Options > Content > Certificates > location-of-your-certificate.
  2. Double-click on the certificate you want to use for client authentication.
  3. Click the Certification Path tab.
  4. Select the certificate at the top of the chain. This is the root CA certificate.
  5. Click View Certificate. On the Certificate Information window, the Issued to and Issued by fields should be the same.
  6. Select the Details tab.
  7. Click Copy to File.
  8. Follow the Certificate Export wizard to export the certificate to a file. You can accept the default of DER encoded binary x.509 (.cer).

About this task

The root CA certificate of the client certificate chain must be present as a CERTAUTH in the z/OS server keyring. The user certificate must match the Subject DN and Issuer DN of the root CA certificate.

If you are using certificates from more than one issuer, as could be the case if you are using smart cards from more than one source, the root CA certificate of each certificate chain must be present.

Procedure

  1. Allocate a data set on the z/OS system for the certificate. You must specify a cataloged data set, and it may not be a PDS or a PDS member. The record format (RECFM) expected by RACDCERT is variable-block (VB).
  2. Copy the certificate file to the data set you allocated. If you use ftp to transfer the file, transfer it in binary mode.
  3. Add the certificate to the RACF® database as a trusted CERTAUTH with a label of your choice. 
    RACDCERT ADD('cert-data-set')  CERTAUTH TRUST 
WITHLABEL('Cert Label')
  4. Connect the certificate to the keyring you created in Configure an AT-TLS profile. 
    RACDCERT ID(ID of the web services started task) CONNECT(CERTAUTH 
LABEL('client cert root CA label') RING(server ring name))
  5. Refresh the DIGTCERT class: 
    SETROPTS RACLIST(DIGTCERT) REFRESH