Steps for migrating a certificate and its ICSF private key in the PKDS

Before you begin:
  • Both the source and target system must be configured to use ICSF and share the same ICSF PKA master key. The systems need not share the same RACF® database nor share the same ICSF PKDS.
  • A PCI-class cryptographic coprocessor must be operational and configured with the ICSF PKDS on each system (both the source and target system) when you specify PKDS or the PCICC operand of the RACDCERT GENCERT command function. Otherwise, specify the ICSF operand.
  • To use your installation's ICSF facilities in Steps 1 and 6, you might need additional authority to ICSF resources. For information about these resources, see z/OS Cryptographic Services ICSF Administrator's Guide.
  • To extract ICSF private keys, you will need a non-RACF utility, such as KEYXFER. To download the KEYXFER utility, go to the z/OS UNIX System Services Tools and Toys web page.
Perform the following steps to generate a RACF certificate and its ICSF public/private key pair on system A (the source system), and migrate them to system B (the target system).
  1. Generate the certificate and its public/private key pair on system A.
    RACDCERT ID(SYSMAN) GENCERT SUBJECTSDN(CN('Secure Key'))
   WITHLABEL('SECURE.KEY') PKDS(*) SIZE(2048)

    ______________________________________________________________________

  2. Extract the certificate from RACF and store it in an MVS™ data set called 'MY.CERT'. (The ICSF private key is not extracted in this step.)
    RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)

    ______________________________________________________________________

  3. Extract the encrypted private key from ICSF using a non-RACF utility, such as KEYXFER.

    ______________________________________________________________________

  4. Transmit both the key and certificate data sets to system B. This step completes your work on system A.

    ______________________________________________________________________

  5. Receive both the key and certificate data sets on system B.

    ______________________________________________________________________

  6. Add the encrypted private key to ICSF using a non-RACF utility, such as KEYXFER, specifying the desired PKDS label for the key on system B, 'MIGRATED.KEY'.

    ______________________________________________________________________

  7. Add the certificate to RACF using the same RACF and PKDS label you used in Step 6, 'MIGRATED.KEY'.
    RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PKDS(*)

    ______________________________________________________________________

  8. List the migrated certificate to verify that RACF found the private key and assigned the private key to the certificate.
    RACDCERT ID(SYSMAN) LIST(LABEL('MIGRATED.KEY'))
    Result: You should see similar information at the end of the certificate listing:
    Key Type: RSA
Key Size: 2048
Private Key: YES
PKDS Label: MIGRATED.KEY
Ring Associations:
*** No rings associated ***

    ______________________________________________________________________

You have now generated a certificate and its ICSF public/private key pair on system A and migrated them to system B. Both system A and system B can now use the same certificate and key pair.