The installation wants to locally issue client browser certificates.
This is similar to
Scenario 2: Secure server with a locally signed certificate in that a local
certificate-authority certificate must first be created. In this case,
a client certificate is created, locally signed, exported from RACF® in PKCS #12 format, and imported
into the user's browser.
- Follow Steps 1 through 6 as described in Scenario 2: Secure server with a locally signed certificate to
create a local certificate-authority certificate to use for signing
client browser certificates.
- User MARKN can obtain a local browser certificate
for himself using the following command:
RACDCERT ID(MARKN)
GENCERT
SUBJECTSDN(CN('Mark Napolitano')
OU('Local Certificate Authority')
O('XYZZY')
C('US'))
WITHLABEL('My Browser Cert')
KEYUSAGE(HANDSHAKE)
SIGNWITH(CERTAUTH LABEL('XYZZY Local Certificate Authority'))
- Export the certificate and private key to an MVS™ data set in PKCS #12 binary form where the
password is 'The circus is coming':
RACDCERT ID(MARKN)
EXPORT
LABEL('My Browser Cert')
DSN('MARKN.BROWSERC.P12BIN')
PASSWORD('The circus is coming')
FORMAT(PKCS12DER)
- Use FTP to send the exported certificate data set in binary format
to the target workstation. Use the appropriate browser-specific procedure
to import the PKCS #12 package.
Note: RACF is
not involved with this step.
- Optionally, the certificate labeled 'My Browser Cert' can
be deleted from the RACF database
if an appropriate certificate name filter is available to provide
a user ID association, and the specific association between this certificate
and the user ID MARKN is not required.