Scenario 5: Creating client browser certificates with a locally signed certificate

The installation wants to locally issue client browser certificates. This is similar to Scenario 2: Secure server with a locally signed certificate in that a local certificate-authority certificate must first be created. In this case, a client certificate is created, locally signed, exported from RACF® in PKCS #12 format, and imported into the user's browser.

Follow Steps 1 through 6 as described in Scenario 2: Secure server with a locally signed certificate to create a local certificate-authority certificate to use for signing client browser certificates.

User MARKN can obtain a local browser certificate for himself using the following command:

RACDCERT ID(MARKN)
         GENCERT
         SUBJECTSDN(CN('Mark Napolitano')
                    OU('Local Certificate Authority')
                    O('XYZZY')
                    C('US'))
         WITHLABEL('My Browser Cert')
         KEYUSAGE(HANDSHAKE)
         SIGNWITH(CERTAUTH LABEL('XYZZY Local Certificate Authority'))

Export the certificate and private key to an MVS™ data set in PKCS #12 binary form where the password is 'The circus is coming':

RACDCERT ID(MARKN)
         EXPORT
         LABEL('My Browser Cert')
         DSN('MARKN.BROWSERC.P12BIN')
         PASSWORD('The circus is coming')
         FORMAT(PKCS12DER)

Use FTP to send the exported certificate data set in binary format to the target workstation. Use the appropriate browser-specific procedure to import the PKCS #12 package.
Note: RACF is not involved with this step.
Optionally, the certificate labeled 'My Browser Cert' can be deleted from the RACF database if an appropriate certificate name filter is available to provide a user ID association, and the specific association between this certificate and the user ID MARKN is not required.