Making a certificate untrusted

If a certificate has been registered in the RACF® database, but you do not want it to be used by clients, you can mark it as UNTRUSTED using the RACDCERT command.

1. Enter the command RACDCERT ID(userid) LIST to find the label associated with the certificate.
2. Enter the command RACDCERT ID (userid) ALTER(LABEL(label)) NOTRUST to mark the certificate as untrusted.
3. If you amended the certificate while a running CICS region was using a key ring containing the certificate, issue the PERFORM SSL REBUILD command for the CICS region.
   The command rebuilds the SSL environment for the CICS region and refreshes the cache of certificates with the new information from the key ring.

   Note: The PERFORM SSL REBUILD command does not apply to SSL/TLS environments where CICS is using a TCPIPSERVICE that is defined with SSL(ATTLSAWARE), mandating AT-TLS secured client connections. If you want to refresh such SSL environments and cache, follow the instructions in Introduction to Application Transparent Transport Layer Security (AT-TLS).