Use the RACDCERT command to create and
add new certificates to a key ring.
About this task
The certificates in the key ring must be associated with the CICS region user ID. The key
ring must be owned by the CICS region user ID that is making use of
it.Note: Multiple certificates with the same Distinguished
Name on the same KEYRING are not supported.
Procedure
- Create a certificate, specifying the CICS region user ID. Enter the RACDCERT
GENCERT command as follows:
Provide values for the variables. The country code for the
country
variable must be an ISO 3166-1 code. For a list of valid codes, see
https://www.iso.org/iso-3166-country-codes.html. The value of
certifier is the label of the signing certificate in the key
ring.
RACDCERT ID(foruser) GENCERT
SUBJECTSDN(CN('username')
T ('username''s certificate')
OU('department')
O ('organization')
L ('city')
SP('state')
C ('country'))
NOTBEFORE(DATE(start) TIME(00:00:00))
NOTAFTER (DATE(finish) TIME(23:59:59))
SIGNWITH (CERTAUTH LABEL('certifier'))
WITHLABEL('certlabel')
SIZE (1024)
- Add the certificate to the key ring using the RACDCERT
CONNECT command.
- If you want to share the certificate across multiple
CICS regions, add it to the key ring specified in the KEYRING system initialization parameter
for that CICS region and specify USAGE(PERSONAL).
Any CICS
region that has the same region user ID and is using the same key
ring can access the certificate.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') USAGE('PERSONAL'))
- If you want to add a certificate to the key ring as
the default certificate, add it to the key ring specified in the KEYRING system
initialization parameter for that CICS region and specify DEFAULT.
RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') DEFAULT)
When a client or server requests a certificate from CICS,
the default certificate is used unless you have specified otherwise.
For inbound HTTP requests, specify the certificate in the TCPIPSERVICE
resource.
- After running any of the RACDCERT commands that update
certificates or key rings, if the DIGTCERT and DIGTRING classes are
RACLISTed, you must issue the following command:
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
- After you make any updates or additions to the certificates
in the key ring, issue the PERFORM SSL REBUILD command
for the CICS region.
The command rebuilds the SSL environment
for the CICS region and refreshes the cache of certificates with the
new information from the key ring.