Parameters

Work_area

The name of a 1024-byte work area for SAF. The work area must be in the primary address space.

ALET

The name of a word containing the ALET for the following parameter. Each parameter must have an ALET specified. Each ALET can be different. The words containing the ALETs must be in the primary address space.

SAF_Return_Code

The name of a fullword in which the SAF router returns the SAF return code.

RACF_Return_Code

The name of a fullword in which the service routine stores the return code.

RACF_Reason_Code

The name of a fullword in which the service routine stores the reason code.

Number_parameters

Specifies the name of a fullword that contains the number of parameters that follow in the non-request specific portion of the R_PKIServ callable service invocation. If the CA_domain parameter is specified, Number_parameters must be set to 6. Otherwise, Number_parameters must be set to 5.

Function_code

The name of a 2-byte area containing the function code. The function code has one of the following values:

End user functions:

X'0001'-Generate a basic X.509V3 certificate using the application-provided data pointed to by the function-specific parameter list (Function name GENCERT).
X'0002'-Extract certificate by certificate request ID (Function name EXPORT).
X'0009'-Submit a request for a X.509V3 certificate using the application provided data pointed to by the function-specific parameter list. Similar to function 1, except that the request would be pending the approval of the PKI Services administrator (Function name REQCERT).
X'000A'-Verify that certificate was issued by this PKI Services CA and return certificate fields (Function name VERIFY).
X'000B'-Revoke a PKI Services certificate (Function name REVOKE).
X'000C'-Generate a renewal PKI Services certificate (Function name GENRENEW).
X'000D'-Request a renewal certificate from PKI Services (Function name REQRENEW).
X'000E' -Get an Online Certificate Status Protocol (OCSP) response from the PKI Services responder (Function name RESPOND).
X'000F' -Submit a request to PKI Services using SCEP (Function name SCEPREQ).
X'0011'-List certificates whose key pairs were generated by PKI services for a particular requester. The requester is identified by the email address and pass phrase provided when generating the certificates and key pairs. (Function name QRECOVER).

Administrative functions-

X'0003'-Query PKI Services for certificate requests (Function name QUERYREQS).
X'0004'-Get detailed information pertaining to one PKI Services certificate request (Function name REQDETAILS).
X'0005'-Modify PKI Services certificate requests (Function name MODIFYREQS).
X'0006'-Query PKI Services issued certificates (Function name QUERYCERTS).
X'0007'-Get detailed information pertaining to one PKI Services issued certificate (Function name CERTDETAILS).
X'0008'-Modify PKI Services issued certificates (Function name MODIFYCERTS).
X'0010'-Preregister a user (Function name PREREGISTER).

Attributes

The name of a 4-byte area containing bit settings that direct the function to be performed. This is a reserved field that must be specified. The bit settings are mapped as follows:

Functions GENCERT (X'0001')
- - x'80000000' - Do not return control until the certificate has been generated. The request will be purged if unsuccessful for any reason.
- - x'C0000000' - Indicate the request is an Enrollment over Secure Transport (EST) request.
- - x'E0000000' - Indicate the request is an Enrollment over Secure Transport (EST) request that needs to have a preregistration record.
GENRENEW (X'000C')
- - x'40000000' - Indicate the request is an Enrollment over Secure Transport (EST) request.
Functions EXPORT (X'0002')
- - x'80000000' - Indicate a DER-encoded PKCS#7 package which only contains the end-entity certificate is to be returned for Enrollment over Secure Transport (EST) request.
All other bit positions are reserved and must be set to zero.

Log_string

The name of an area that consists of a 1-byte length field followed by character data to be included in any audit records that are created as a result of the R_PKIServ invocation. The first eight bytes of the Log_string data specified on a GENCERT and RENEW request is also used as application data(ApplData) to be stored with the certificate. If not specified, the length must equal 0.

Parmlist_version

The name of a 4-byte input value which contains the version number for the following input field, Function_parmlist. To take full advantage of the support provided by this release, this field should be set to 1 for the EXPORT, Start of change

QUERYCERTS, and CERTDETIALS functions, and should be set to 2 for the End of change

MODIFYCERTS and MODIFYREQS functions. For all other functions this field must be set to 0.

Function_parmlist

Specifies the name of the function code specific parameter list for the Function_code specified:

Table 1. Function_parmlist for GENCERT
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example 'GENCERT'.
CertPlistLen	4-byte length	In	Describes the length in bytes of the certificate generation plist.
CertPlist	Address of	In	The name of the area which is the CertGen request parameter list. This area maps the specific name, length, address/data values which are used in satisfying the certificate request for the specified user. Also, see Table 2.
Certid	Address of	In/Out	Points to a 57-byte area, in which the first byte will contain the actual length on return of the certificate request ID. The storage address specified must be obtained by the caller, and freed by the caller. The returned certificate request ID is used to extract the completed certificate, if the request has been accepted by RACF®.

The GENCERT and REQCERT functions have in essence two connected parameter list areas; the function-specific parameter list as defined above and the CertGen request parameter list (CertPlist) containing specific certificate field information. CertPlist is a list of ordered triplets that consists of name, length, and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks. The length field is a binary 4-byte value, which qualifies the length of the data item. Note that all data values are EBCDIC character data unless otherwise indicated. The following table describes the valid certificate request fields:

Table 2. CertPlist for GENCERT and REQCERT
Field name	Max length	Description
DiagInfo	80 bytes (exactly)	EyeCatcher to identify this request in virtual storage for diagnostic reasons. For certificate generation warnings and errors, RACF will update the field with diagnostic information. The length will be updated as well. Required field must be the first field in the CertPlist.
SerialNumber	64 bytes	Serial number, or registration number, of the subject device. Optional. No default. Only valid with PKI Services requests.
UnstructAddr	64 bytes	Unstructured address of the subject device. Optional. No default. Only valid with PKI Services requests.
UnstructName	64 bytes	Unstructured name of the subject device. Optional. No default. Only valid with PKI Services requests.
EmailAddr	64 bytes	Subject’s email address for distinguished name EMAIL= attribute. Optional. No default. Only valid with PKI Services requests.
Mail or Email	64 bytes	Subject’s email address for distinguished name MAIL= attribute. Optional. No default. Only valid with PKI Services requests. (Field name “Email” is deprecated, use “Mail”)
DNQualifier	64 bytes	Subject’s Distinguished Name Qualifier. Optional. No default. Only valid with PKI Services requests.
Uid	64 bytes	Subject’s login ID. Optional. No default. Only valid with PKI Services requests.
CommonName	64 bytes	Subject's common name. Optional. No default, except in the following situation: If specified with a null value (length 0). RACF will use the PGMRNAME field from the RACF user profile as determined by the User ID field for this request. If PGMRNAME is null, the common name will be of the form of RACF UserID:(user's-racf-identify), for example RACF UserID:JSWEENY
Title	64 bytes	Subject's Title. Optional. No default.
DomainName	64 bytes	Subject’s Domain Name containing all the domain components in the form of domain-component-1.domain-component-2.domain-component-3…domain-component-n. Optional. No default. Only valid with PKI Services requests.
OrgUnit	64 bytes	Subject's Organizational Unit. Note that this field may be repeated. RACF concatenates in the order of appearance to construct the hierarchy of organizational units. Optional. No default.
Org	64 bytes	Subject's Organization. Optional. No default.
Street	64 bytes	Subject's street address. Optional. No default. Only valid with PKI Services requests.
Locality	64 bytes	Subject's City or Locality. Optional. No default.
StateProv	64 bytes	Subject's State/Providence. Optional. No default.
PostalCode	64 bytes	Subject's postal code or postal code. Optional. No default. Only valid with PKI Services requests.
Country	2 bytes	Subject's Country. Optional. No default.
KeyUsage	20 bytes	One of 'handshake' \| 'dataencrypt' \| 'certsign' \| 'docsign' \| 'digitalsignature' \| 'digitalsig' \| 'nonrepudiation' \| 'keyencipherment' \| 'keyenciph' \| 'keyencrypt' \| 'dataencipherment' \| 'dataenciph' \| 'keyagreement' \| 'keyagree' \| 'keycertsign' \| 'crlsign' (not case sensitive, no quotes). Note that this field may be repeated to request multiple usages. Optional. No default.
ExtKeyUsage	20 bytes	One of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' (not case sensitive, no quotes). Note this field may be repeated to request multiple usages. Optional. No default. Only valid with PKI Services requests.
NotBefore	2 bytes	Number of days from today's date that the certificate becomes valid. Range 0-30. Validity checked by RACF. Optional. Default is 0.
NotAfter	4 bytes	Number of days from today's date that the certificate expires. Range 1–9999. The number of days in the validity period is calculated as NotAfter minus NotBefore, therefore the NotAfter value must be greater than the NotBefore value. Validity checked by RACF. Optional. Default is 365.
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternate name extension. Optional. No default. Note that this field may be repeated in the PKI Services requests.
AltURI	255 bytes	Uniform Resource Identifier for subject alternate name extension. Optional. No default. Note that this field may be repeated in the PKI Services requests.
AltEmail	100 bytes	Email address for subject alternate name extension. Optional. No default. Note that this field may be repeated in the PKI Services requests.
AltDomain	100 bytes	Domain Name for subject alternate name extension. Optional. No default. Note that this field may be repeated in the PKI Services requests.
AltOther	255 bytes	Other Name for subject alternate name extension. Optional. No default. Only valid with PKI Services requests.
NotifyEmail	64 bytes	Email address for notification purposes. Its value is copied from the Requestor field when Keysize is specified. Optional. No default. Only valid with PKI Services requests.
PublicKey	65535 bytes	PKCS #10 or Netscape Navigator certificate request or CMP CertReqMsg structure containing the public key to be certified. This is base 64 encoded DER. Required field if KeySize is not specified.
KeySize	4 bytes	Size of the key in bits if key pair is to be generated by PKI services. Range 512–4096 for RSA keys; For NISTECC keys: 192, 224, 256, 384 and 521; for BPECC keys: 160, 192, 224, 256, 320, 384 and 512. Required field if PublicKey is not specified. Only valid with PKI Services requests.
KeyAlg	10 bytes	Algorithm of the key if the key pair is to be generated by PKI Services. The acceptable values are ‘RSA’, ‘NISTECC’ and ‘BPECC’. Optional. Default to RSA. Only valid with PKI Services requests.
SignWith	45 bytes	For SAF this is the label of z/OS® certificate authority certificate to sign the completed certificate request. Format: SAF:CERTAUTH/<ca-cert-label> or SAF:/<ca-cert-label>, where ca-cert-label is the certificate label under CERTAUTH or the caller's User ID. May also be used to indicate that PKI Services should process the request rather than SAF. In this case, the format is PKI: (exactly 4 characters). Required field.
HostIdMap	100 bytes	HostIdMapping extension entry in the form of an email address, for example, gumby@plpsc.pok.ibm.com. The rightmost '@' is used to delineate the subjectId from the hostName. Optional. No default. Only valid with PKI Services requests. Note that this field may be repeated.
Requestor	32 bytes	Name of the person submitting the request. If KeySize is specified, this is a required field in the form of an email address. Otherwise, it is an optional field derived from the UnstructuredName if not specified. If UnstructName is not specified, Requestor will be derived from CommonName. If CommonName is also not specified, Requestor will be derived from the first RDN of the subject's name. Only valid with PKI Services requests.
PassPhrase	32 bytes	Value to be used for challenge or response when retrieving the certificate through function EXPORT. If KeySize is specified, this is a required field. Otherwise, it is optional. No default. Only valid with PKI Services requests.
UserId	8 bytes	Subject's RACF UserID. If not specified, the User ID is taken from the ACEE. For SAF requests, this is the User ID that will own the certificate. For SAF requests, this is the User ID that will own the certificate. For PKI requests, the User ID is used only to determine the Common Name when CommonName is specified without a value.
Label	32 bytes	Up to 32 mixed case characters that may be used as the 'handle'. Optional. Default is that one will be generated and added to the user's list of certificates. Only valid with SAF requests.
CertPolicies	32 bytes	Blank-separated array of non-repeating policy numbers, range 1 - 99, for the CertificatePolicies extension. These correspond to the policy numbers defined during PKI Services configuration. Each value must be one or two digits with no leading zeros. Optional. No default. Only valid with PKI Services requests.
AuthInfoAcc	255 bytes	A comma-separated two-part string specifying information used to create the AuthorityInfoAccess extension. The two-part string identifies the accessMethod and accessLocation. The accessMethod is one of 'OCSP' \| 'IdentrusOCSP' (not case sensitive, no quotes). The accessLocation is a URI in the form URI=access-url or URL=access-url. Optional. No default. Only valid with PKI Services requests. Note that this field may be repeated.
Critical	32 bytes	Name of a certificate extension to be marked critical. One of 'BasicConstraints' \| 'KeyUsage' \| 'ExtKeyUsage' \| 'SubjectAltName' \| 'AltEmail' \| 'AltIPAddr' \| 'AltDomain' \| 'AltURI' \| 'HostIdMappings' \| 'HostIdMap' \| 'CertificatePolicies' \| 'CertPolicies' (not case sensitive, no quotes). Optional. The BasicConstraints and KeyUsage extensions are always marked critical even if not specified. Only valid with PKI Services requests. Note this field may be repeated.
CustomExt	1024 bytes	Customized extension in the form of a comma-separated four-part string. The first part is the OID of the extension. The second part is the critical flag – ‘C’(critical) or ‘N’(non-critical), the third part is the encode type – ‘INT’(integer), ‘IA5’(IA5 string), ‘PRT’(printable string), ‘BMP’(BMP string) , ‘OCT’(Octet string) or ‘UTF’(UTF8 string), the last part is the value. The critical flag and the encode type are not case sensitive. Note ‘C’(critical) is allowed only if KeySize is not specified. Optional. No default. Only valid with PKI Services requests. This field may be repeated. For more information, see Forming the CustomExt value for CertPlist for the R_PKIServ callable service in z/OS Cryptographic Services PKI Services Guide and Reference.
BusinessCat	64 bytes	Subject's business category. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurCountry	2 bytes	Subject's Jurisdiction Country. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurStateProv	64 bytes	Subject's Jurisdiction State/Province. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurLocality	64 bytes	Subject's Jurisdiction Locality. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.

Table 3. Function_parmlist for EXPORT
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example 'EXPORT'.
CertAnchorLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the Cert Anchor area on input to EXPORT. RACF will update this value with the actual length of the certificate returned. If the storage area as specified by the cert anchor address is too small, RACF will set a failing return or reason code and update the length field to the size required. The caller must allocate a larger area.
CertAnchor	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the certificate that is specified by the CertID parameter if the service was able to successfully retrieve the completed certificate. If the caller has supplied an area that is too small, (based in the CertAnchorLen), this service fails the request, and updates the CertAnchorLen field to indicate the actual storage required to store the certificate.
CertId	Address of	In	Points to a 57-byte area, in which the first byte will contain the actual length of the input certificate request ID or serial number that will be used to locate the certificate to be exported. For PKI Services requests where PassPhrase was specified on the GENCERT, the user-provided pass phrase must be appended to the actual CertId value and included here. The leading length byte must account for the additional length. For PKI Services requests where SCEP is enabled in the PKI Services daemon, the constant value “PKICACERT” can be specified to retrieve the CA certificate or CA/RA certificate pair. No PassPhrase is used in this case. For PKI Services where Enroll Over Secure Transport (EST) is enabled in the PKI Services daemon, the constant value "PKICACHAIN" can be specified to retrieve the CA certificate and its issuing certificates. No PassPhrase is used in this case. If the KeyID value is specified, a serial number is expected instead of a request ID. The serial number is a 16-byte value in the form of printable EBCDIC (HEX) with leading 0's (for example, 0000000000001A5F).
KeyId	Address of	In	Points to a 41-byte area. The first byte will contain the length of the KeyId. The KeyID value, which is a 40-byte hash of the public key generated by PKI Services, will begin at the second byte of this value. When exporting a recovery certificate for a PKI Services key generated certificate, the value of the first bye must be 40 (hexadecimal value 28). The 40-byte KeyId value must start in the second byte of this area. The minimum Parmlist_Version value to make use of this function is 1. When exporting a previously exported certificate, the value of the first bye must be 40 (hexadecimal value 28). A KeyId value comprised of 40 bytes of zero (hexadecimal value 0) must follow, beginning at the second byte of this area. The minimum Parmlist_Version value to make use of this function is 2. In all other cases, the value of the first byte must be zero.

Table 4. Function_parmlist for QUERYREQS
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' QUERYRQS '
ResultsListLen	4-byte length	In/Out	4–byte area that is the length of the pre-allocated storage of the Results List area on input to QUERYREQS. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Results List address is too small, RACF will set a failing return or reason code and update the length field to the size required. The caller must allocate a larger area.
ResultsList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area that is too small, (based in the ResultsListLen), this service fails the request, and updates the ResultsListLen field to indicate the actual storage required to store the data.
CertId	Address of	In	Points to a 57-byte area, in which the first byte will contain the actual length of the input certificate request ID that will be used as a starting point for this query. Only requests located after this request will be returned. If the first byte is zero (x'00'), then the query will start with the first request.
NumEntries	4-byte numeric	In/Out	Input value indicating the maximum number of entries that should be returned in the ResultsList area. Zero indicates no limit. Updated to indicate the number of entries actually returned.
CriteriaStatus	4-byte numeric	In	Value indicating the request status to use as search criteria. X'00000000' - return all requests, X'00000001' - return requests pending approval only, X'00000002' - return requests that have been approved only, X'00000003' - return completed requests only, X'00000004 - return all rejected requests only, X00000005 - return rejected requests in which the client has been notified only, X'00000006' - return preregistered requests only.
CriteriaDays	4-byte numeric	In	Value indicating the recent activity time period to use as additional search criteria. The time period is the number of days in the past that should be scanned for requests that have been created or modified. If zero (x'00000000'), recent activity will not be used as additional search criteria.
CriteriaName	Address of	In	Points to a 33-byte area, in which the first byte will contain the actual length of the input requestor's name to be used as additional search criteria. If the first byte is zero (x'00'), then the requestor's name will not be used as additional search criteria.

The QUERYREQS function returns results in the ResultsList area provided by the caller. The ResultsList has the following format:

Table 5. ResultsList for QUERYREQS
Length	Value
1-byte length	Entry 1's certificate request ID, max 56 bytes
1-byte length	Entry 1's requestor's name, max 32 bytes
1-byte length	Entry 1's subject's distinguished name, max 255 bytes
1-byte length	Entry 1's issuer's distinguished name, max 255 bytes
1-byte length	Entry 1's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Zero bytes for requests with a status of “Preregistered”, otherwise exactly 41 bytes.
1-byte length	Entry 1's keyUsage value, max 64 bytes (one or more of 'handshake' \| 'dataencrypt' \| 'certsign' \| 'docsign' \| 'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified" )
1-byte length	Entry 1's status, max 32 bytes (one of "Preregistered", "Pending Approval", "Approved", "Completed", "Rejected", or "Rejected, User Notified")
1-byte length	Entry 1's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 1's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 1's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry 1's serial number if certificate has been issued, max 16 bytes
1-byte length	Entry 1's previous serial number if this is a renewal request, max 16 bytes
1-byte length	Entry 1's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified").
1-byte length	Entry 1's query timestamp. Format YYYY/MM/DD HH:MM:SS, 19 bytes
1-byte length	Entry 1's required number of approvals, 2 bytes. The following entries of approver, action and timestamp will be repeated for the same number of times as the required number of approvals
1-byte length	Entry 1's first approver RACF User ID, max 8 bytes
1-byte length	Entry 1's first action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1-byte length	Entry 1's first approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
…	…
1-byte length	Entry 1's last approver RACF User ID, max 8 bytes
1-byte length	Entry 1's last action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1-byte length	Entry 1's last approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
1-byte length	Entry 2's certificate request ID, max 56 bytes
1-byte length	Entry 2's requestor's name, max 32 bytes
1-byte length	Entry 2's subject's distinguished name, max 255 bytes
1-byte length	Entry 2's issuer's distinguished name, max 255 bytes
1-byte length	Entry 2's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Zero bytes for requests with a status of “Preregistered”, otherwise exactly 41 bytes.
1-byte length	Entry 2's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt \|, 'certsign' \|'docsign' \|'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry 2's status, max 32 bytes (one of "Preregistered", "Pending Approval", "Approved", "Completed", "Rejected", or "Rejected, User Notified")
1-byte length	Entry 2's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 2's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 2's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry 2's serial number if certificate has been issued, max 16 bytes
1-byte length	Entry 2's previous serial number if this is a renewal request, max 16 bytes
1-byte length	Entry 2's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified").
1-byte length	Entry 2's query timestamp. Format YYYY/MM/DD HH:MM:SS, 19 bytes
1-byte length	Entry 2's required number of approvals, 2 bytes. The following entries of approver, action and timestamp will be repeated for the same number of times as the required number of approvals
1-byte length	Entry 2's first approver RACF User ID, max 8 bytes
1-byte length	Entry 2's first action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1-byte length	Entry 2's first approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
…	…
1-byte length	Entry 2's last approver RACF User ID, max 8 bytes
1-byte length	Entry 2's last action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1-byte length	Entry 2's last approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes

⋮

Length, continued	Value, continued
1-byte length	Entry n's certificate request ID, max 56 bytes
1-byte length	Entry n's requestor's name, max 32 bytes
1-byte length	Entry n's subject's distinguished name, max 255 bytes
1-byte length	Entry n's issuer's distinguished name, max 255 bytes
1-byte length	Entry n's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Zero bytes for requests with a status of “Preregistered”, otherwise exactly 41 bytes.
1-byte length	Entry n's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt' \|'certsign' \|'docsign' \|'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry n's status, max 32 bytes (one of "Preregistered", "Pending Approval", "Approved", "Completed", "Rejected", or "Rejected, User Notified")
1-byte length	Entry n's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry n's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry n's ApplData value from the GENCERT or REQCERT n's last modified date in YYYY/MM/DD invocation, max 8 bytes
1-byte length	Entry n's serial number if certificate has been issued, max 16 bytes
1-byte length	Entry n's previous serial number if this is a renewal request, max 16 bytes
1-byte length	Entry n's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified").
1-byte length	Entry n's query timestamp. Format YYYY/MM/DD HH:MM:SS, 19 bytes
1-byte length	Entry n's required number of approvals, 2 bytes. The following entries of approver, action and timestamp will be repeated for the same number of times as the required number of approvals
1-byte length	Entry n's first approver RACF User ID, max 8 bytes
1-byte length	Entry n's first action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1-byte length	Entry n's first approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
…	…
1 byte length	Entry n's last action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1 byte length	Entry n's last approver RACF User ID, max 8 bytes
1 byte length	Entry n's last action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1 byte length	Entry n's last approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes

Table 6. Function_parmlist for REQDETAILS
FIELD	ATTRIBUTES	USAGE	DESCRIPTION
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' REQDTAIL'
SumListLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the Summary List area on input to REQDETAILS. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Summary List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
SumList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the SummaryListLen), this service fails the request, and updates the SummaryListLen field to indicate the actual storage required to store the data. Also, see Table 7.
CertPlistLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the certificate generation plist area on input to REQDETAILS. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Results List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
CertPlist	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the CertPlistLen), this service fails the request, and updates the CertPlistLen field to indicate the actual storage required to store the data. This area maps some of the specific name, length, address/data values which were used when generating the original certificate request on GENCERT. Also, see Table 8.
CertId	Address of	In	Points to a 57-byte area, in which the first byte will contain the actual length of the input certificate request ID from which details are to be extracted

The REQDETAILS function returns QUERYREQS style summary data in the SumList area provided by the caller. The SumList has the following format:

Table 7. SumList for REQDETAILS
Length	Value
1-byte length	Entry's certificate request ID, max 56 bytes
1-byte length	Entry's requestor's name, max 32 bytes
1-byte length	Entry's subject's distinguished name, max 255 bytes
1-byte length	Entry's issuer's distinguished name, max 255 bytes
1-byte length	Entry's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Zero bytes for requests with a status of “Preregistered”, otherwise exactly 41 bytes
1-byte length	Entry's keyUsage value, max 64 bytes (one or more of 'handshake'\| 'dataencrypt'\|, 'certsign'\| 'docsign' \| 'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry's status, max 32 bytes (one of "Pending Approval", "Approved", "Completed", "Rejected", or "Rejected, User Notified")
1-byte length	Entry's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry's serial number if certificate has been issued, max 16 bytes
1-byte length	Entry's previous serial number if this is a renewal request, max 16 bytes
1-byte length	Entry's last action comment, max 64 bytes
1-byte length	Entry's pass phrase provided when the certificate request was made, max 32 bytes
1-byte length	Entry's notification email address, max 64 bytes
1-byte length	Entry's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified").
1-byte length	Entry’s certificate request fingerprints - 40 byte SHA1 hash (printable EBCDIC) followed by 32 byte MD5 hash (printable EBCDIC), Exactly 72 bytes if available. Zero bytes if unavailable.
1–byte length	Entry’s certificate request fingerprints - 64 byte SHA256 hash (printable EBCDIC) followed by 128 byte SHA512 hash (printable EBCDIC). Exactly 192 bytes if available. Zero bytes if unavailable.
1–byte length	Entry’s request signature algorithm, max 32 bytes, one of 'sha-1WithRSAEncryption' , 'sha-224WithRSAEncryption' , 'sha-256WithRSAEncryption' , 'sha-384WithRSAEncryption' , 'sha-512WithRSAEncryption' , 'sha256WithRSAPSS' , 'sha-384WithRSAPSS' , 'sha-512WithRSAPSS' , 'md-5WithRSAEncryption' , 'md-2WithRSAEncryption' , 'id-dsa-with-sha1' , 'id-dsa-with-sha224' , 'id-dsa-with-sha256' , 'ecdsa-with-sha1' , 'ecdsa-with-sha224' , 'ecdsa-with-sha256' , 'ecdsa-with-sha384' or 'ecdsa-with-sha512'. Zero bytes if unavailable.
1–byte length	Entry’s Key type, max 16 bytes, one of 'RSA', 'DSA', 'BPECC' or 'NISTECC'. Zero bytes if unavailable.
1–byte length	Entry ’s Key size, max 8 bytes. Zero bytes if unavailable.
1–byte length	Entry's query timestamp. Format YYYY/MM/DD HH:MM:SS, 19 bytes
1–byte length	Entry's required number of approvals, 2 bytes. The following entries of approver, action, comment and timestamp will be repeated for the same number of times as the required number of approvals
1–byte length	Entry's first approver RACF User ID, max 8 bytes
1–byte length	Entry's first action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1–byte length	Entry's first approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
1–byte length	Entry's first action comment. max 64 bytes.
…	…
1–byte length	Entry's last approver RACF User ID, max 8 bytes
1–byte length	Entry's last action performed, one of 'approved' \| 'approved with modification' \| 'rejected'
1–byte length	Entry's last approval timestamp with format YYYY/MM/DD HH:MM:SS, 19 bytes
1–byte length	Entry's last action comment. max 64 bytes.

Additionally, the REQDETAILS function returns GENCERT style certificate field name/value pairs in the CertPlist area. This is the list of fields that may be returned. They are also the fields that may be modified by function MODIFYREQS. The fields and their values are conditionally present, depending on the values of the original GENCERT request. Multiple OrgUnits and HostIdMaps are returned in the order they were originally specified. Fields other than OrgUnit and HostIdMap are not returned in any specific order. Like GENCERT, the CertPlist returned is a list of ordered triplets which consists of name, length and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks, the length field is a binary four byte value, which qualifies the length of the data item.

Note: All data values are EBCDIC character data unless otherwise indicated. Also, NotBefore and NotAfter are replaced with StartDate and EndDate.

Table 8. CertPlist for REQDETAILS
Field name	Max length	Description
SerialNumber	64 bytes	Serial number of the subject device or registration number of the subject.
UnstructAddr	64 bytes	Unstructured address of the subject device.
UnstructName	64 bytes	Unstructured name of the subject device.
EmailAddr	64 bytes	Subject’s email address for distinguished name EMAIL= attribute.
Mail	64 bytes	Subject’s email address for distinguished name MAIL= attribute.
DNQualifier	64 bytes	Subject’s Distinguished Name Qualifier.
Uid	64 bytes	Subject’s login ID.
CommonName	64 bytes	Subject's common name.
Title	64 bytes	Subject's title.
DomainName	64 bytes	Subject’s Domain Name containing all the domain components.
OrgUnit	64 bytes	Subject's Organization Unit. Note this field may be repeated.
Org	64 bytes	Subject's Organization.
Street	64 bytes	Subject's street address.
Locality	64 bytes	Subject's City or Locality.
StateProv	64 bytes	Subject's State or Province.
PostalCode	64 bytes	Subject's zip code or postal code.
Country	2 bytes	Subject's Country.
KeyUsage	20-bytes	KeyUsage extension entry. One of 'handshake' \| 'dataencrypt' \| 'certsign' \| 'docsign' \| 'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign (not case sensitive, no quotes). Note this field may be repeated.
ExtKeyUsage	20 bytes	One of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \|'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth'. Note this field may be repeated.
StartDate	10 bytes	Data certificate becomes valid in YYYY/MM/DD form.
EndDate	10 bytes	Last date that the certificate is valid in YYYY/MM/DD form.
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternative name extension. Note that this field may be repeated.
AltURI	255 bytes	Uniform Resource Identifier for subject alternative name extension. Note that this field may be repeated.
AltEmail	100 bytes	Email address for subject alternative name extension. Note that this field may be repeated.
AltDomain	100 bytes	Domain Name for subject alternative name extension. Note that this field may be repeated.
AltOther	255 bytes	Other Name for subject alternative name extension. Note this field may be repeated.
HostIdMap	100 bytes	HostIdMapping extension entry. Note this field may be repeated.
AutoRenew	1 byte	Indicates whether the automatic renewal of certificates is enabled. Either ‘Y’ or ‘N’ (case sensitive, no quotes).
CustomExt	1024 bytes	Customized extension in the form of a comma-separated four-part string. The first part is the OID of the extension, the second part is the critical flag – ‘C’(critical) or ‘N’(non-critical) , the third part is the encode type – ‘INT’(integer in printable hexadecimal format), ‘IA5’(IA5 string), ‘PRT’(printable string), ‘BMP’(BMP string) , ‘OCT’(Octet string) or ‘UTF’(UTF8 string), the last part is the value. Note that this field may be repeated.
BusinessCat	64 bytes	Subject's business category. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurCountry	2 bytes	Subject's Jurisdiction Country. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurStateProv	64 bytes	Subject's Jurisdiction State/Province. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurLocality	64 bytes	Subject's Jurisdiction Locality. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.

Table 9. Function_parmlist for MODIFYREQS
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' MODREQS '
Action	4-byte value	In	4-byte binary value indicating the action to take against the requests. X'00000001' - Approve with possible modifications as specified X'00000002' - Reject X'00000003' -Delete from request database
Comment	Address of	In	Points to a 65-byte area, in which the first byte will contain the actual length of the comment associated with this action. If the first byte is zero (x'00'), no comment will be recorded.
CertIdsLen	4-byte length	In/Out	Describes the length in bytes of the input certificate request ID list. May be modified by RACF on output if a smaller list is being returned.
CertIds	Address of	In/Out	Points to an area containing 1 or more certificate request Ids that are to be modified by this request. Each certificate request ID occupies a maximum of 57 bytes, in which the first byte will contain the actual length of the certificate request ID. If any requests cannot be modified because their states or contents changed, or action performed by an unauthorized person, or the same person attempts to approve the same request more than once, RACF will return a shortened list containing those requested IDs that couldn't be modified. The ErrList field will contain the corresponding error description.
CertPlistLen	4-byte length	In	Describes the length in bytes of the certificate modification plist. A zero indicates no modification plist.
CertPlist	Address of	In	Points to the area which is the certificate modification parameter list. This area maps the specific name, length, address/data values which are used to replace the existing values in the certificate request. The format is the same as the Certificate Request Plist defined under GENCERT (DiagInfo must be the first field.), except that the modifiable fields are those listed. The certificate modification plist is optional and is valid for the "Approve" action only and only when the CertIds list contains exactly one Certificate ID. For all other cases, it is ignored. If no modification plist is specified for "Approve", the request is approved as is. See usage notes, 23, for a description of the processing that performed when a modification plist is specified.
ErrListLen	4-byte length	In/Out	The 4-byte length of the pre-allocated storage for the ErrList parameter. This value may be modified by RACF on output to reflect the total length of the data returned in the ErrList parameter for certain reason and return codes. See Table 6. If the value is zero upon input, the ErrList parameter will be ignored. The minimum Parmlist_Version for the use of this parameter is 1.
ErrList	Address of	In/Out	Points to a pre-allocated storage buffer that RACF will use to return error results for requests that could not be modified for certain reason and return codes. See Table 6. On output, each error result will occupy a maximum of 101 bytes; a 1-byte length field, followed by up to 100 bytes of error description text. Each error result corresponds to a certificate request ID returned in the CertIds parameter. This parameter is ignored if the ErrListLen parameter is set to a value of zero. The minimum Parmlist_version for the use of this parameter is 1
QueryTime	Address of	In	Points to a 20-byte area, in which the first byte is the length of a 19-byte value in the form of YYYY/MM/DD HH:MM:SS indicating the timestamp when the query was made before modification. If no value is supplied, the current time will be used. Only valid with action X'00000001' – Approve with possible modifications. The minimum Parmlist_version for the use of this parameter is 2.

The MODIFYREQS modification plist (CertPlist) Structure. Like GENCERT, the CertPlist is a list of ordered triplets which consists of name, length and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks, the length field is a binary four byte value, which qualifies the length of the data item. Note that all data values are EBCDIC character data unless otherwise indicated. Note that NotBefore and NotAfter are replaced with StartDate and EndDate. See GENCERT for more information about the other individual fields

Table 10. CertPlist for MODIFYREQS
Field name	Max length	Description
DiagInfo	80 bytes (exactly)	Diagnostic information area. Must be first field in the CertPlist. For certificate generation warnings and errors, RACF will update this field with diagnostic information. The length will be updated as well. Required field.
SerialNumber	64 bytes	Serial number of the subject device. Optional. No default.
UnstructAddr	64 bytes	Unstructured address of the subject device. Optional. No default.
UnstructName	64 bytes	Unstructured name of the subject device. Optional. No default.
EmailAddr	64 bytes	Subject’s email address for distinguished name EMAIL= attribute. Optional. No default.
Mail or Email	64 bytes	Subject’s email address for distinguished name MAIL= attribute. Optional. No default. (Field name “Email” is deprecated, use “Mail”)
DNQualifier	64 bytes	Subject’s Distinguished Name Qualifier. Optional. No default.
Uid	64 bytes	Subject’s login ID. Optional. No default.
CommonName	64 bytes	Subject's common name. Optional.
Title	64 bytes	Subject's title. Optional.
DomainName	64 bytes	Subject’s Domain Name containing all the domain components in the form of domain-component-1.domain-component-2.domain-component-3…domain-component-n. Optional. No default.
OrgUnit	64 bytes	Subject's Organizational Unit. Note this field may be repeated. Optional.
Org	64 bytes	Subject's Organization. Optional.
Street	64 bytes	Subject's street address. Optional
Locality	64 bytes	Subject's City or Locality. Optional.
StateProv	64 bytes	Subject's State or Province. Optional.
PostalCode	64 bytes	Subject's Zip or postal code. Optional.
Country	2 bytes	Subject's Country. Optional.
KeyUsage	20 bytes	KeyUsage extension entry. One of 'handshake' \| 'dataencrypt' \| 'certsign' \| 'docsign' 'digitalsignature' \| 'digitalsig' \| 'nonrepudiation' \| 'keyencipherment' \| 'keyenciph' \| 'keyencrypt' \| 'dataencipherment' \| 'dataenciph' \| 'keyagreement' \| 'keyagree' \| 'keycertsign' \| 'crlsign' (not case sensitive, no quotes). Note this field may be repeated. Optional.
ExtKeyUsage	20 bytes	One of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' (not case sensitive, no quotes). Note this field may be repeated to request multiple usages. Optional, no default.
StartDate	10 bytes	Date certificate becomes valid in YYYY/MM/DD form. Must be a valid date within the range 1970/01/01 through 9997/12/31. Required.
EndDate	10 bytes	Last date that the certificate is valid in YYYY/MM/DD form. Must be a valid date within the range of today through 9997/12/31 and must not be before StartDate. Required.
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternative name extension. Optional. There is no default. Note that this field may be repeated.
AltURI	255 bytes	Uniform Resource Identifier for subject alternative name extension. Optional. There is no default. Note that this field may be repeated.
AltEmail	100 bytes	Email address for subject alternative name extension. Optional. There is no default. Note that this field may be repeated.
AltDomain	100 bytes	Domain Name for subject alternative name extension. Optional. There is no default. Note that this field may be repeated.
AltOther	255 bytes	Other Name for subject alternative name extension. Optional. There is no default. Note this field may be repeated.
HostIdMap	100 bytes	HostIdMapping extension entry. Note this field may be repeated. Optional.
CertPolicies	32 bytes	Blank separated array of non-repeating policy numbers, range 1 - 99, for the CertificatePolicies extension. These correspond to the policy numbers defined during PKI Services configuration. Each value must be one or two digits with no leading zeros. Optional, no default.
AuthInfoAcc	255 bytes	A comma separated two part string specifying information used to create the AuthorityInfoAccess extension. The two part string identifies the accessMethod and accessLocation. The accessMethod is one of 'OCSP' \| 'IdentrusOCSP' (not case sensitive, no quotes). The accessLocation is a URI in the form URI=access-url or URL=access-url. Optional, no default. Note this field may be repeated.
Critical	32 bytes	Name of a certificate extension to be marked critical. One of 'BasicConstraints' \| 'KeyUsage' \| 'ExtKeyUsage' \| 'SubjectAltName' \| 'AltEmail' \| 'AltIPAddr' \| 'AltDomain' \| 'AltURI' \| 'HostIdMappings' \| 'HostIdMap' \| 'CertificatePolicies' \| 'CertPolicies' (not case sensitive, no quotes). Optional. The BasicConstraints and KeyUsage extensions are always marked critical even if not specified. Note this field may be repeated.
AutoRenew	1 byte	Indicates whether the automatic renewal of certificates is enabled. Either ‘Y’ or ‘N’ (not case sensitive, no quotes). Optional. There is no default.
CustomExt	1024 bytes	Customized extension in the form of a comma-separated four-part string. The first part is the OID of the extension, the second part is the critical flag – ‘C’(critical) or ‘N’(non-critical) , the third part is the encode type – ‘INT’(integer), ‘IA5’(IA5 string), ‘PRT’(printable string), ‘BMP’(BMP string) , ‘OCT’(Octet string) or ‘UTF’(UTF8 string), the last part is the value. Note 1: The value specified for the INT type is a string of printable hexadecimal characters. If the number of characters is odd, the high order bit of the first character is propagated in the encoded value. Note 2: The critical flag and the encode type are not case sensitive. ‘C’(critical) is allowed only if KeySize is not specified. Optional. No default. Only valid with PKI Services requests. Note that this field may be repeated.

Table 11. Function_parmlist for QUERYCERTS
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' QUERYCTS '
ResultsListLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the Results List area on input to QUERYCERTS. RACF will update this value with the actual length of the data returned. If the storage area, as specified by the Results List address is too small, RACF sets a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
ResultsList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the ResultsListLen), this service fails the request, and updates the ResultsListLen field to indicate the actual storage required to store the data. Also, see Table 12.
SerialNum	Address of	In	Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number that will be used as a starting point for this query. Only certificates located after this certificate will be returned. If the first byte is zero (x'00'), the query will start with the first request. The serial number is in printable EBCDIC (HEX) form for example, "01A6",
NumEntries	4-byte numeric	In/Out	Input value indicating the maximum number of entries that should be returned in the ResultsList area. Zero indicates no limit. Updated to indicate the number of entries actually returned.
CriteriaStatus	4-byte numeric	In	Value indicating the certificate status to be used as search criteria. X'00000000' - return all issued certificates, X'00000001' - return revoked certificates only, X'00000002' -return expired certificates only, X'00000003' - return non-expired, non-revoked certificates only, that is, active certificates, X'00000004' - return non-expired revoked or suspended certificates only, that is, CRL certificates, X'00000005' - return suspended certificates only, X'00000006' - return active certificates enabled for auto renewal, X'00000007' - return active certificates capable for auto renewal but disabled. X'00000008' - return active certificates that cannot be renewed due to a change of email address.
CriteriaDays	4-byte numeric	In	Value indicating the recent activity time period or the certificate expiry period to be used as additional search criteria. A positive value indicates the number of days in the past that should be scanned for certificates that have been created or modified. A negative value indicates the numbers of days in the future that should be scanned for certificates that will expire within that period. A negative value is valid only if the CriteriaStatus is X’00000003’, X’00000006’, X’00000007’, or X’00000008’. If it is zero (x’00000000’), recent activity and certificate expiry period will not be used as additional search criteria.
CriteriaName	Address of	In	Points to a 33-byte area, in which the first byte will contain the actual length of the input requestor's name to be used as additional search criteria. If the first byte is zero (x'00'), the requestor's name will not be used as additional search
SerialNumOrFingerPrt	Address of	In	There are three acceptable formats: Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number from which details are to be extracted. The serial number is in printable EBCDIC (HEX) form for example, "01A6". Points to a 65-byte area, in which the first byte will contain the actual length of the input certificate SHA256 fingerprint with no separators. The fingerprint is in printable EBCDIC (HEX) form. For example: “9C3E4AFCC491DFD332F3089B8542E9417D893D7FE944E10A7937EE29D9693DAE”. Points to a 96-byte area, in which the first byte will contain the actual length of the input certificate SHA256 fingerprint with colon or blank separators. For example: “9C:3E:4A:FC:C4:91:DF:D3:32:F3:08:9B:85:42:E9:41:7D:89:3D:7F:E9:44:E1:0A:79:37:EE:29:D9:69:3D:AE”, or “9C 3E 4A FC C4 91 DF D3 32 F3 08 9B 85 42 E9 41 7D 89 3D 7F E9 44 E1 0A 79 37 EE 29 D9 69 3D AE”

The QUERYCERTS function returns results in the ResultsList area provided by the caller. The ResultsList has the following format:

Table 12. ResultsList for QUERYCERTS
Length	Value
1-byte length	Entry 1's serial number in printable EBCDIC (HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry 1's requestor's name, max 32 bytes
1-byte length	Entry 1's subject's distinguished name, max 255 bytes
1-byte length	Entry 1's issuer's distinguished name, max 255 bytes
1-byte length	Entry 1's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry 1's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt' \|'certsign' \|'docsign' \| 'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified" )
1-byte length	Entry 1's status, max 32 bytes, one of "Active", "Active, AutoRenew", "Active, AutoRenewDisabled", "Expired", "Revoked", "Suspended", "Revoked, Expired", or "Active, NotRenewable"
1-byte length	Entry 1's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 1's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 1's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry 1's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified")
1-byte length	Entry 1's KeyId, exactly 40 bytes (printable EBCDIC)
1-byte length	Entry 1's SHA256 fingerprint, exactly 95 bytes (printable EBCDIC, colon separated)
1-byte length	Entry 2's serial number in printable EBCDIC (HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry 2's requestor's name, max 32 bytes
1-byte length	Entry 2's subject's distinguished name, max 255 bytes
1-byte length	Entry 2's issuer's distinguished name, max 255 bytes
1-byte length	Entry 2's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry 2's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt' \| 'certsign' \|'docsign' \|'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry 2's status, max 32 bytes, one of "Active", "Active, AutoRenew", "Active, AutoRenewDisabled", "Expired", "Revoked", "Suspended", "Revoked, Expired", or "Active, NotRenewable".
1-byte length	Entry 2's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 2's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry 2's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry 2's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified")
1–byte length	Entry 2's KeyID, exactly 40 bytes (printable EBCDIC)

Table 13. ResultsList for QUERYCERTS (continued)
Length, continued	Value, continued
1-byte length	Entry n's serial number in printable EBCDIC(HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry n's requestor's name, max 32 bytes
1-byte length	Entry n's subject's distinguished name, max 255 bytes
1-byte length	Entry n's issuer's distinguished name, max 255 bytes
1-byte length	Entry n's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry n's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt' \|'certsign' \|'docsign' \|'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry n's status, max 32 bytes, one of "Active", "Active, AutoRenew", "Active, AutoRenewDisabled", "Expired", "Revoked", "Suspended", "Revoked, Expired", or "Active, NotRenewable"
1-byte length	Entry n's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry n's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry n's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry n's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified")
1-byte length	Entry n's KeyId, exactly 40 bytes (printable EBCDIC)

Table 14. Function_parmlist for CERTDETAILS
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' CRTDTAIL'
SumListLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the Summary List area on input to CERTDETAILS. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Summary List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
SumList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the SummaryListLen), this service fails the request, and updates the SummaryListLen field to indicate the actual storage required to store the data. Also, see Table 15.
CertPlistLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the certificate generation plist area on input to CERTDETAILS. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Results List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
SerialNumOrFingerPrt	Address of	In	There are three acceptable formats: Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number from which details are to be extracted. The serial number is in printable EBCDIC (HEX) form for example, "01A6". Points to a 65-byte area, in which the first byte will contain the actual length of the input certificate SHA256 fingerprint with no separators. The fingerprint is in printable EBCDIC (HEX) form. For example: “9C3E4AFCC491DFD332F3089B8542E9417D893D7FE944E10A7937EE29D9693DAE”. Points to a 96-byte area, in which the first byte will contain the actual length of the input certificate SHA256 finger print with colon or blank separators. The fingerprint is in printable EBCDIC (HEX) form, separated by colons or blanks e.g., “9C:3E:4A:FC:C4:91:DF:D3:32:F3:08:9B:85:42:E9:41: 7D:89:3D:7F:E9:44:E1:0A:79:37:EE:29:D9:69:3D:AE”, or “9C 3E 4A FC C4 91 DF D3 32 F3 08 9B 85 42 E9 41 7D 89 3D 7F E9 44 E1 0A 79 37 EE 29 D9 69 3D AE”.
CertPlist	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the CertPlistLen), this service fails the request, and updates the CertPlistLen field to indicate the actual storage required to store the data. This area maps some of the specific name, length, address/data values which were used when generating the original certificate request on GENCERT. Also, see Table 16.
SerialNum	Address of	In	Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number from which details are to be extracted. The serial number is in printable EBCDIC (HEX) form for example, "01A6",

The CERTDETAILS function returns QUERYCERTS style summary data in the SumList area provided by the caller. The SumList has the following format:

Table 15. SumList for CERTDETAILS
Length	Value
1-byte length	Entry's serial number in printable EBCDIC(HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry's requestor's name, max 32 bytes
1-byte length	Entry's subject's distinguished name, max 255 bytes
1-byte length	Entry's issuer's distinguished name, max 255 bytes
1-byte length	Entry's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry's keyUsage value, max 64 bytes (one or more of 'handshake' \|'dataencrypt' \|'certsign' \|'docsign' \|'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry's status, max 32 bytes, one of "Active", "Active, AutoRenew", "Active, AutoRenewDisabled", "Expired", "Revoked", "Suspended", "Revoked, Expired", or "Active, NotRenewable"
1-byte length	Entry's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry's last action comment, max 64 bytes
1-byte length	Entry's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified")
1-byte length	Entry's pass phrase provided when the certificate request was made, max 32 bytes
1-byte length	Entry's KeyId, exactly 40 bytes (printable EBCDIC)
1-byte length	Entry's SHA256 fingerprint, exactly 95 bytes (printable EBCDIC, colon separated)
1-byte length	Entry’s certificate signature algorithm, max 32 bytes, one of 'sha-1WithRSAEncryption', 'sha-224WithRSAEncryption', 'sha-256WithRSAEncryption', 'sha-384WithRSAEncryption', 'sha-512WithRSAEncryption', 'md-5WithRSAEncryption', 'sha-256With RSAPSS', 'sha-384WithRSAPSS', 'sha512WithRSAPSS' 'md-2WithRSAEncryption', 'id-dsa-with-sha1', 'id-dsa-with-sha224' , 'id-dsa-with-sha256' , 'ecdsa-with-sha1', 'ecdsa-with-sha224', 'ecdsa-with-sha256', 'ecdsa-with-sha384' or 'ecdsa-with-sha512'
1-byte length	Entry’s Key type, max 16 bytes, one of 'RSA', 'DSA', 'BPECC' or 'NISTECC'
1–byte length	Entry's Public Key size in bits, expressed as a decimal character string (EBCDIC, for example, "1024"). Zero bytes if unavailable

Additionally, the CERTDETAILS function returns GENCERT style certificate field name/value pairs in the CertPlist area. This is the list of fields that may be returned. The fields and their values are conditionally present, depending on the values of the original GENCERT request. Multiple HostIdMaps are returned in the order they were originally specified. Fields other than HostIdMap are not returned in any specific order. Like GENCERT, the CertPlist returned is a list of ordered triplets which consists of name, length and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks, the length field is a binary four byte value, which qualifies the length of the data item. Note that all data values are EBCDIC character data unless otherwise indicated.

Table 16. CertPlist for CERTDETAILS
Field	Max length	Description
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternative name extension. Note that this field may be repeated.
AltURI	255 bytes	Uniform Resource Identifier for subject alternative name extension. Note that this field may be repeated.
AltEmail	100 bytes	Email address for subject alternative name extension. Note that this field may be repeated.
AltDomain	100 bytes	Domain Name for subject alternative name extension. Note that this field may be repeated.
AltOther	255 bytes	Other Name for subject alternative name extension. Note this field may be repeated.
HostIdMap	100 bytes	HostIdMapping extension entry. Note this field may be repeated.
CustomExt	1024 bytes	Customized extension in the form of a comma-separated four-part string. The first part is the OID of the extension. The second part is the critical flag – ‘C’(critical) or ‘N’(non-critical), the third part is the encode type – ‘INT’(integer in printable hexadecimal format), ‘IA5’(IA5 string), ‘PRT’(printable string), ‘BMP’(BMP string) , ‘OCT’(Octet string) or ‘UTF’(UTF8 string), the last part is the value. Note that this field may be repeated.

Table 17. Function_parmlist for MODIFYCERTS
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, 'MODCERTS'.
Action	4-byte value	In	4-byte binary value indicating the action to take with the certificates. X'00000002' - Revoke X'00000003' - Delete from issued certificate database X'00000004' - Resume suspended certificate X'00000005' - Disable auto renew X'00000006' - Enable auto renew X'00000007' - Change requestor email X'00000008' - Create CRLs X'00000009' - Post Certs
Comment	Address of	In	Points to a 65-byte area, in which the first byte will contain the actual length of the comment associated with this action. If the first byte is zero (x'00'), no comment will be recorded. If the action is X'00000008' (Create CRLs), this field is ignored.
SerialNumsLen	4-byte length	In/Out	Describes the length in bytes of the input certificate serial number list. May be modified by RACF on output if a smaller list is being returned. If the action is X'00000008' (Create CRLs), this field is ignored.
SerialNums	Address of	In/Out	Points to an area containing 1 or more certificate serial numbers that are to be modified by this request. Each occupies a maximum of 17 bytes, in which the first byte will contain the actual length of the certificate serial number. The serial number itself is in printable EBCDIC (HEX) form for example, "01A6", If any certificates cannot be modified, RACF will return a shortened list containing those serial numbers that couldn't be modified. The ErrList field will contain the corresponding error description. If the action is X'00000007' - Change requestor email, this field must contain only 1 serial number. If the action is X'00000008' (Create CRLs), this field is ignored.
Reason	4-byte value	In	4-byte binary value indicating the reason for the certificate revocation. X'00000000' - No Reason X'00000001' - User key was compromised X'00000002' - CA key was compromised X'00000003' - User changed affiliation X'00000004' - Certificate was superseded X'00000005' - Original use no longer valid X'00000006' - Temporarily suspend Ignored for actions other than "Revoke".
RequestorEmail	Address of	In	Points to a 33-byte area in which the first byte will contain the actual length of the email address to be changed. Only valid with action X'00000007' - Change requestor email. The minimum Parmlist_Version for the use of this parameter is 1.
ErrListLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage for the Error List output area. May be modified by RACF on output to reflect the actual length of ErrList for certain reason and return codes. See Table 6. If the action is X'00000008' (Create CRLs) or X'00000009' (Post Certs), this field is ignored. The minimum Parmlist_Version for the use of this parameter is 2.
ErrList	Address of	In/Out	Points to an area containing 1 or more error results when any of the input certificates cannot be modified for certain reason and return codes. See Table 6. Each error result occupies a maximum of 100 bytes, in which the first byte is the actual length of the error description for the corresponding serial number returned in the SerialNums field. If the action is X'00000008' (Create CRLs) or X'00000009' (Post Certs), this field is ignored. The minimum Parmlist_Version for the use of this parameter is 2.

Table 18. Function_parmlist for VERIFY
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' VERIFY '.
SumListLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the Summary List area on input to VERIFY. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Summary List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
SumList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the verify if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the SummaryListLen) this service fails the request, and updates the SummaryListLen field to indicate the actual storage required to store the data. Also, see Table 19.
CertPlistLen	4-byte length	In/Out	4-byte area which is the length of the pre-allocated storage of the certificate generation plist area on input to VERIFY. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Results List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
CertPlist	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the verify if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the CertPlistLen) this service fails the request, and updates the CertPlistLen field to indicate the actual storage required to store the data. This area maps some of the specific name, length, address/data values which were used when generating the original certificate request on GENCERT. Also, see Table 20.
CertLen	4-byte length	In	4-byte area that is the length of the certificate contained in the Cert area on input to VERIFY.
Cert	Address of	In	The address of the storage area containing the X509 certificate or the PKCS #7 certificate chain to verify. This is base64 encoded DER.

The VERIFY function returns CERTDETAILS style summary data in the SumList area provided by the caller. The SumList has the following format:

Table 19. SumList for VERIFY
Length	Value
1-byte length	Entry's serial number in printable EBCDIC(HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry's requestor's name, max 32 bytes
1-byte length	Entry's subject's distinguished name, max 255 bytes
1-byte length	Entry's issuer's distinguished name, max 255 bytes
1-byte length	Entry's validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry's keyUsage value, max 64 bytes (one or more of 'handshake' \| 'dataencrypt' \| 'certsign' \| 'docsign' \| 'digitalsig' \| 'keyencrypt' \| 'keyagree' \| 'keycertsign' \| 'crlsign' or "not specified")
1-byte length	Entry's status, max 32 bytes, one of "Active", "Active, AutoRenew", "Active, AutoRenewDisabled", "Expired", "Suspended", "Revoked", "Revoked, Expired", or "Active, NotRenewable"
1-byte length	Entry's creation date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's last modified date in YYYY/MM/DD form, exactly 10 bytes
1-byte length	Entry's ApplData value from the GENCERT or REQCERT invocation, max 8 bytes
1-byte length	Entry's ExtKeyUsage value, max 255 bytes (one or more of 'serverauth' \| 'clientauth' \| 'codesigning' \| 'emailprotection' \| 'timestamping' \| 'ocspsigning' \| 'mssmartcardlogon' \| 'cmcca' \| 'cmcra' \| 'cmcas' \| 'pkinitkdc' \| 'pkinitclientauth' or "not specified")

Additionally, the VERIFY function returns GENCERT style certificate field name/value pairs in the CertPlist area. The fields and their values are conditionally present, depending on the values actually contained in the certificate. Fields are not returned in any specific order. Like GENCERT, the CertPlist is a list of ordered triplets which consists of name, length and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks, the length field is a binary four byte value, which qualifies the length of the data item. Note that all data values are EBCDIC character data unless otherwise indicated.

Table 20. CertPlist for VERIFY
Field	Max length	Description
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternative name extension. Note that this field may be repeated.
AltURI	255 bytes	Uniform Resource Identifier for subject alternative name extension. Note that this field may be repeated.
AltEmail	100 bytes	Email address for subject alternative name extension. Note that this field may be repeated.
AltDomain	100 bytes	Domain Name for subject alternative name extension. Note that this field may be repeated.
AltOther	255 bytes	Other Name for subject alternative name extension. Note this field may be repeated.
HostIdMap	100 bytes	HostIdMapping extension entry. Note this field may be repeated.
CustomExt	1024 bytes	Customized extension in the form of a comma-separated four-part string. The first part is the OID of the extension. The second part is the critical flag – ‘C’(critical) or ‘N’(non-critical), the third part is the encode type – ‘INT’(integer in printable hexadecimal format), ‘IA5’(IA5 string), ‘PRT’(printable string), ‘BMP’(BMP string) , ‘OCT’(Octet string) or ‘UTF’(UTF8 string), the last part is the value. Note that this field may be repeated.

Table 21. Function_parmlist for REVOKE
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' REVOKE '
Reason	4-byte value	In	4-byte binary value indicating the reason for the certificate revocation, X'00000000' - No Reason X'00000001' - User key was compromised X'00000002' - CA key was compromised X'00000003' - User changed affiliation X'00000004' - Certificate was superseded X'00000005' -Original use no longer valid X'00000006' - Temporarily suspended
SerialNum	Address of	In	Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number for the certificate that is to be revoked. The serial number is in printable EBCDIC (HEX) form for example, "01A6",

Table 22. Function_parmlist for GENRENEW and REQRENEW
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' RENEW '
CertPlistLen	4-byte length	In	Describes the length in bytes of the certificate generation plist. A zero indicates no modification plist
CertPlist	Address of	In	The name of the area which is the renew request parameter list. This area maps the specific name, length, address/data values which are used in satisfying the certificate request for the specified user. Also, see Table 23.
CertId	Address of	In/Out	Points to a 57-byte area, in which the first byte will contain the actual length on return of the certificate request ID. The storage address specified must be obtained by the caller, and freed by the caller. The returned certificate request ID is used to extract the completed certificate, if the request has been accepted.
SerialNum	Address of	In	Points to a 17-byte area, in which the first byte will contain the actual length of the input certificate serial number for the certificate that is to be renewed. The serial number is in printable EBCDIC (HEX) form for example, "01A6",

Here is the layout and supported fields for the RENEW CertPlist. Because most of the certificate information from the old certificate is reused for the new certificates, very little new information can be specified in the RENEW CertPlist. Like GENCERT, the CertPlist is a list of ordered triplets that consists of name, length and data value. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks. The length field is a binary four byte value, which qualifies the length of the data item. Note that all data values are EBCDIC character data unless otherwise indicated. See GENCERT for more information about the other individual fields

Table 23. CertPlist for GENRENEW and REQRENEW
Field name	Max length	Description
DiagInfo	80 bytes (exactly)	Diagnostic information area. Must be first field in the CertPlist. For certificate generation warnings and errors, RACF will update this field with diagnostic information. The length will be updated as well. Required field.
PassPhrase	32 bytes	Value to be used for challenge/response when retrieving the certificate through function EXPORT. When renewing a certificate whose key pair was generated by PKI Services, the PassPhrase from the original certificate will be used if this field is not specified. Optional.
NotAfter	4 bytes	Number of days from today's date that the certificate expires. Range 1-9999. Validity checked by RACF. Optional. Default is 365. The start date of the validity period is set from the original certificate's start of validity.
NotifyEmail	64 bytes	Email address for notification purposes. When renewing a certificate whose key pair was generated by PKI Services, the specified value must not exceed 32 characters. If this field is not specified, the notification email address of the original certificate will be used. Optional.
CertPolicies	32 bytes	Blank separated array of non-repeating policy numbers. Range 1 - 99, for the CertificatePolicies extension. These correspond to the policy numbers defined during PKI Services configuration. Each value must be one or two digits with no leading zeros. Optional, no default.
AuthInfoAcc	255 bytes	A comma separated two part string specifying information used to create the AuthorityInfoAccess extension. The two part string identifies the accessMethod and accessLocation. The accessMethod is one of 'OCSP' \| 'IdentrusOCSP' (not case sensitive, no quotes). The accessLocation is a URI in the form URI=access-url or URL=access-url. Optional, no default. Note this field may be repeated.
Critical	32 bytes	Name of a certificate extension to be marked critical. One of 'CertificatePolicies' \| 'CertPolicies' (not case sensitive, no quotes). Optional.

Table 24. Function_parmlist for RESPOND
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example 'RESPOND'
RestLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the OCSP response area on input to RESPOND. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Response address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
Response	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the RESPOND function if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the ResLen), this service fails the request, and updates the ResLen field to indicate the actual storage required to store the data.
ReqLen	4-byte length	In	4-byte area that is the length of the request contained in the Request area on input to RESPOND.
Request	Address of	In	The address of the storage area containing the request to verify.

Table 25. Function_parmlist for SCEPREQ
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' SCEPREQ '
RestLen	4-byte length	In/Out	4-byte area that is the length of the pre-allocated storage of the SCEP response area on input to SCEPREQ. RACF will update this value with the actual length of the data returned. If the storage area, as specified by the Response address is too small, RACF sets a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
Response	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the SCEPREQ function if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the ResLen), this service fails the request, and updates the ResLen field to indicate the actual storage required to store the data.
ReqLen	4-byte length	In	4-byte area that is the length of the SCEP request contained in the Request area on input to SCEPREQ.
Request	Address of	In	The address of the storage area containing the SCEP request to verify.

Table 26. Function_parmlist for PREREGISTER
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example, ' PREREG '
PreregPlistLen	4-byte length	In	Describes the length in bytes of the preregistration plist
PreregPlist	Address of	In	The name of the area which is the preregistration parameter list. This area maps the specific name, length, address or data values which must match the values specified when the certificate request is received.
CertId	Address of	In/Out	Points to a 57-byte area, in which the first byte will contain the actual length on return of the certificate request ID. The storage address specified must be obtained by the caller, and freed by the caller. The returned certificate request ID is used to query the preregistration record, if the request has been accepted by RACF.

Like GENCERT, the Preregistration CertPlist is a list of ordered triplets which consists of name, length and data value. The data values provided on PREREGISTER must match the values specified when the certificate request is received, otherwise the requestor is considered unauthenticated. The field name is a fixed 12-character field, case sensitive, left-aligned, and padded with blanks, the length field is a binary 4-byte value, which qualifies the length of the data item.

Note: All data values are EBCDIC character data unless otherwise indicated. See GENCERT for more information about the other individual fields.

Table 27. CertPlist for PREREGISTER
Field name	Max length	Description
DiagInfo	80 bytes (exactly)	EyeCatcher to identify this request in virtual storage for diagnostic reasons. For certificate generation warnings and errors RACF will update this field with diagnostic information. The length will be updated as well. Required field. Must be first field in the CertPlist.
ClientName	64 bytes	Name of the person or device that is being preregistered. Must match either the CommonName or the UnstructName when the certificate request is received. Required field.
PassPhrase	32 bytes	Challenge/response value to be used for authenticating when the certificate request is received. Optional. No default.
SerialNumber	64 bytes	Serial number of the subject device. Optional. No default.
UnstructAddr	64 bytes	Unstructured address of the subject device. Optional. No default.
EmailAddr	64 bytes	Subject’s email address for distinguished name EMAIL= attribute. Optional. No default.
Mail	64 bytes	Subject’s email address for distinguished name MAIL= attribute. Optional. No default.
DNQualifier	64 bytes	Subject’s Distinguished Name Qualifier. Optional. No default.
Uid	64 bytes	Subject’s login ID. Optional. No default.
Title	64 bytes	Subject’s Title. Optional. No default.
DomainName	64 bytes	Subject’s Domain Name containing all the domain components in the form of domain-component-1.domain-component-2.domain-component-3…domain-component-n. Optional. No default.
OrgUnit	64 bytes	Subject’s Organizational Unit. Note this field may be repeated, RACF concatenates in the order of appearance to construct the hierarchy of organizational units. Optional. No default.
Org	64 bytes	Subject’s Organization. Optional. Optional. No default.
Street	64 bytes	Subject’s Street Address. Optional. No default.
Locality	64 bytes	Subject’s City or Locality. Optional. No default.
StateProv	64 bytes	Subject’s State/Province. Optional. No default.
PostalCode	64 bytes	Subject’s Zip code or Postal Code. Optional. No default.
Country	2 bytes	Subject’s Country. Optional. No default.
AltIPAddr	45 bytes	IP address in IPv4 or IPv6 format for subject alternate name extension. Optional. No default. Note that this field may be repeated.
AltURI	255 bytes	Uniform Resource Identifier for subject alternate name extension. Optional. No default. Note that this field may be repeated.
AltEmail	100 bytes	Email address for subject alternate name extension. Optional. No default. Note that this field may be repeated.
AltDomain	100 bytes	Domain Name for subject alternate name extension.Optional. No default. Note that this field may be repeated.
AltOther	255 bytes	Other Name for subject alternate name extension. Optional. No default. Note this field may be repeated.
BusinessCat	64 bytes	Subject's business category. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurCountry	2 bytes	Subject's Jurisdiction Country. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurStateProv	64 bytes	Subject's Jurisdiction State/Province. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.
JurLocality	64 bytes	Subject's Jurisdiction Locality. Optional. No default. Only valid with PKI Services requests. Note: It is recommended that this field be used only in requests for Extended Verification certificates.

Table 28. Function_parmlist for QRECOVER
Field	Attributes	Usage	Description
Eyecatcher	8 characters	In	Eyecatcher, 8 characters left-aligned blank filled. Actual value set by invoker, for example 'QRECOVER'.
ResultsListLen	4-byte length	In/Out	4-byte area which is the length of the pre-allocated storage of the Results List area on input to QRECOVER. RACF will update this value with the actual length of the data returned. If the storage area as specified by the Results List address is too small, RACF will set a failing return/reason code and update the length field to the size required. The caller must allocate a larger area.
ResultsList	Address of	In/Out	The address of the storage area in which the R_PKIServ service stores the results of the query if the service was able to successfully retrieve the data. If the caller has supplied an area which is too small, (based in the ResultsListLen), this service fails the request, and updates the ResultsListLen field to indicate the actual storage required to store the data.
NumEntries	4-byte numeric	In/Out	Input value indicating the maximum number of entries that should be returned in the ResultsList area. Zero indicates no limit. Updated to indicate the number of entries actually returned.
CriteriaName	Address of	In	Points to a 33-byte area, in which the first byte will contain the actual length of the input requestor’s email address to be used as a search criterion.
CriteriaPass	Address of	In	Points to a 33-byte area, in which the first byte will contain the actual length of the input pass phrase to be used as a search criterion.

The QRECOVER function returns results in the ResultsList area provided by the caller. The results list has the following format:

Table 29. ResultsList for QRECOVER
Length	Value
1-byte length	Entry 1's serial number in printable EBCDIC (HEX) form for example, "01A6", max 16 bytes
1-byte length	Entry 1’s subject’s distinguished name, max 255 bytes
1-byte length	Entry 1’s issuer’s distinguished name, max 255 bytes
1-byte length	Entry 1’s validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry 1’s Pass phrase provided when the certificate request was made, max 32 bytes
1-byte length	Entry 1’s KeyId, exactly 40 bytes (printable EBCDIC)
1-byte length	Entry 2’s serial number in printable EBCDIC (HEX) form for example, “01A6”, max 16 bytes
1-byte length	Entry 2’s subject’s distinguished name, max 255 bytes
1-byte length	Entry 2’s issuer’s distinguished name, max 255 bytes
1-byte length	Entry 2’s validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry 2's Pass phrase provided when the certificate request was made, max 32 bytes
1-byte length	Entry 2’s KeyId, exactly 40 bytes (printable EBCDIC)

⋮

Length, continued	Value, continued
1-byte length	Entry n’s serial number in printable EBCDIC (HEX) form for example, “01A6”, max 16 bytes
1-byte length	Entry n’s subject’s distinguished name, max 255 bytes
1-byte length	Entry n’s issuer’s distinguished name, max 255 bytes
1-byte length	Entry n’s validity period in local time. Format YYYY/MM/DD HH:MM:SS - YYYY/MM/DD HH:MM:SS. Exactly 41 bytes
1-byte length	Entry n’'s Pass phrase provided when the certificate request was made, max 32 bytes
1-byte length	Entry 1’s KeyId, exactly 40 bytes (printable EBCDIC)

CA_domain

The name of an optional 9-byte input area that consists of a 1-byte length field followed by up to 8 characters from the following character set: the alphanumerics (a-z, A-Z, 0-9) and the hyphen ('-'). In addition, the leftmost character must not be a digit or the hyphen. The value is the not case-sensitive domain name of the PKI Services certificate authority instance to be invoked. If Number_parameters is less than 6, CA_domain is null, or the length byte is 0, then the default instance of PKI Services will be invoked. This field is ignored for SAF requests.