RACDCERT DELETE (Delete certificate)

Purpose

Use the RACDCERT DELETE command to delete a digital certificate.

When you delete a certificate that is connected to a key ring, the certificate is automatically removed from the key ring.

Restriction: Because PKCS #11 tokens are managed by ICSF, not RACF®, when you use the RACDCERT DELETE command to delete a certificate that is bound in a token, the corresponding certificate object remains in the token.

The DELETE function also supports site and certificate-authority certificates, and the deletion of the private key and other certificate data that is stored when the certificate was created.

When a user profile is deleted with the DELUSER command, related DIGTCERT, DIGTRING, and DIGTNMAP profiles are deleted as a part of DELUSER processing. However, under some circumstances, residual profiles might not be deleted. For example, if you issue the DELUSER command from a z/VM® system (which does not support digital certificates), the profiles might not be deleted. The DELETE, DELRING and DELMAP keywords for RACDCERT support the specification of a user ID in order to allow residual certificate information related to the user ID to be deleted. However, the other RACDCERT functions require the user ID to be defined to RACF.

See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate names and labels are processed by RACDCERT functions.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT DELETE command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	No	No. (See rules.)	No. (See rules.)	No

Rules: The following rules apply when issuing this command.

The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

To issue the RACDCERT DELETE command, you must have the SPECIAL attribute or sufficient authority to the IRR.DIGTCERT.DELETE resource in the FACILITY class for your intended purpose, as shown in Table 1.

To issue the RACDCERT DELETE command, you must have the following authorizations:

The SPECIAL attribute, or
Sufficient authority to the IRR.DIGTCERT.DELETE resource in the FACILITY class, as shown in Table 1, or
Sufficient authority to the appropriate resources in the RDATALIB class, as shown in Table 2, if Granular Authority Checking has been enabled by defining the IRR.RACDCERT.GRANULAR resource in the RDATALIB class.

When your installation controls access to ICSF services and the CSFSERV class is active, additional access to CSFSERV resources might be required as follows:

If the certificate you are deleting has a key stored in the ICSF PKA key data set (PKDS), you must have READ access to the CSFIQF and CSFPKRD resources.
If the certificate you are deleting has a key stored in the ICSF Token Data Set (TKDS), you must have READ access to the CSFIQF and CSF1TRD resources.

For details about the CSFSERV resources, see z/OS Cryptographic Services ICSF Administrator's Guide.

Table 1. Authority required for the RACDCERT DELETE function under the FACILITY class
Access level	Purpose
READ	Delete your own certificate.
UPDATE	Delete another user's certificate.
CONTROL	Delete a SITE or CERTAUTH certificate.

Table 2. Authority required for the RACDCERT DELETE function under the RDATALIB class when IRR.RACDCERT.GRANULAR is defined
READ access to the resource based on cert owner and cert label *	Purpose
IRR.DIGTCERT.<cert owner>.<cert label>.UPD.DELETE	Delete a certificate under <cert owner> with specified <cert label>

* 'cert owner' is the RACF user ID, or CERTIFAUTH (for CERTAUTH), or SITECERTIF (for SITE)

Activating your changes

If the DIGTCERT or DIGTRING class is RACLISTed, refresh the classes to activate your changes.

Example:

SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

Related commands

To add a certificate, see RACDCERT ADD (Add certificate).
To alter a certificate, see RACDCERT ALTER (Alter certificate).
To list a certificate, see RACDCERT LIST (List certificate).

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT DELETE command is:

RACDCERT DELETE

[ (LABEL('label-name')) ]
| [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ]
[ ID(certificate-owner) | SITE | CERTAUTH ]
[ FORCE ]

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

Parameters

DELETE(LABEL('label-name'))

DELETE(SERIALNUMBER(serial-number) ISSUERSDN('issuer's-dn'))

If the user has only one certificate, the SERIALNUMBER and ISSUERSDN keywords, or the LABEL keyword, and their associated values can be omitted. If the user has more than one certificate the LABEL, SERIALNUMBER, or SERIALNUMBER and ISSUERSDN must be used to select which certificate to delete.

When specifying the issuer's distinguished name or the label, you must specify any mixed-case or blank characters exactly as they appear in the output of the RACDCERT LIST command for the certificate.

Restriction: The ISSUERSDN keyword is not supported for lengthy issuer's distinguished names when the name of the certificate's DIGTCERT profile contains a certificate hash value. For more information about DIGTCERT profile names, see the "Purpose" topic of RACDCERT ADD.

For a description of label-name, see the description of the WITHLABEL keyword for RACDCERT ADD.

FORCE

Specifies that RACF should bypass the following error checking and unconditionally perform the delete operation.

If you do not specify FORCE to bypass these conditions, an error message is issued and the command ends:

The certificate being deleted has been used to generate a request through RACDCERT GENREQ.
The private key associated with the certificate is a secure key in the PKDS or TKDS, but it no longer exists.

Note: Use this keyword with caution to force the deletion of a certificate.

ID(certificate-owner) | SITE | CERTAUTH

Specifies that the specified certificate is either a user certificate associated with the specified user ID, a site certificate, or a certificate-authority certificate. If you do not specify ID, SITE, or CERTAUTH, the default is ID, and certificate-owner defaults to the user ID of the command issuer. If more than one keyword is specified, the last specified keyword is processed and the others are ignored by TSO command parse processing.

Examples

Example	Activity label	Description
1	Operation	User RACFADM wants to delete the digital certificate labeled `Savings Account` for user NETB0Y.
	Known	User RACFADM has SPECIAL authority.
	Command	`RACDCERT DELETE(LABEL('Savings Account')) ID(NETB0Y)`
	Output	None.
2	Operation	User RACFADM does a GENREQ for certificate labeled Savings Account for user NETB0Y to have it sent and signed by a Certificate Authority. In order to not allow the certificate deleted along with its private key until the Certificate Authority returns the signed certificate, the certificate cannot be deleted without the FORCE function.
	Known	User RACFADM has SPECIAL authority.
	Command	`RACDCERT ID (NETB0Y) GENREQ (LABEL('Savings Account')) dsn('Request.cert') RACDCERT ID (NETB0Y) DELETE (LABEL('Savings Account'))`
	Output	IRRD198I The certificate has been used for generating a request. It was not deleted.