Creating new RACF certificates

Use the RACDCERT command to create and add new certificates to a key ring.

About this task

The certificates in the key ring must be associated with the CICS region user ID. The key ring must be owned by the CICS region user ID that is making use of it.
Note: Multiple certificates with the same Distinguished Name on the same KEYRING are not supported.

Procedure

  1. Create a certificate, specifying the CICS region user ID. Enter the RACDCERT GENCERT command as follows:
    Provide values for the variables. The country code for the country variable must be an ISO 3166-1 code. For a list of valid codes, see https://www.iso.org/iso-3166-country-codes.html. The value of certifier is the label of the signing certificate in the key ring.
    RACDCERT ID(foruser) GENCERT
 SUBJECTSDN(CN('username') 
           T ('username''s certificate') 
           OU('department') 
           O ('organization') 
           L ('city') 
           SP('state') 
           C ('country'))
 NOTBEFORE(DATE(start) TIME(00:00:00))
 NOTAFTER (DATE(finish) TIME(23:59:59))
 SIGNWITH (CERTAUTH LABEL('certifier'))
 WITHLABEL('certlabel')
 SIZE     (1024)
  2. Add the certificate to the key ring using the RACDCERT CONNECT command.
    1. If you want to share the certificate across multiple CICS regions, add it to the key ring specified in the KEYRING system initialization parameter for that CICS region and specify USAGE(PERSONAL).
      Any CICS region that has the same region user ID and is using the same key ring can access the certificate.
      RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') USAGE('PERSONAL'))
    2. If you want to add a certificate to the key ring as the default certificate, add it to the key ring specified in the KEYRING system initialization parameter for that CICS region and specify DEFAULT. 
      RACDCERT ID(foruser) CONNECT( RING(ringname) LABEL('label') DEFAULT)
      When a client or server requests a certificate from CICS, the default certificate is used unless you have specified otherwise. For inbound HTTP requests, specify the certificate in the TCPIPSERVICE resource.
  3. After running any of the RACDCERT commands that update certificates or key rings, if the DIGTCERT and DIGTRING classes are RACLISTed, you must issue the following command: 
    SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
  4. After you make any updates or additions to the certificates in the key ring, issue the PERFORM SSL REBUILD command for the CICS region.
    The command rebuilds the SSL environment for the CICS region and refreshes the cache of certificates with the new information from the key ring.