RACDCERT DELETE (Delete certificate)
Purpose
Use the RACDCERT DELETE command to delete a digital certificate.
When you delete a certificate that is connected to a key ring, the certificate is automatically removed from the key ring.
The DELETE function also supports site and certificate-authority certificates, and the deletion of the private key and other certificate data that is stored when the certificate was created.
When a user profile is deleted with the DELUSER command, related DIGTCERT, DIGTRING, and DIGTNMAP profiles are deleted as a part of DELUSER processing. However, under some circumstances, residual profiles might not be deleted. For example, if you issue the DELUSER command from a z/VM® system (which does not support digital certificates), the profiles might not be deleted. The DELETE, DELRING and DELMAP keywords for RACDCERT support the specification of a user ID in order to allow residual certificate information related to the user ID to be deleted. However, the other RACDCERT functions require the user ID to be defined to RACF.
See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate names and labels are processed by RACDCERT functions.
Issuing options
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | No | No. (See rules.) | No. (See rules.) | No |
- The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
- The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.
Authorization required
To issue the RACDCERT DELETE command, you must have the SPECIAL attribute or sufficient authority to the IRR.DIGTCERT.DELETE resource in the FACILITY class for your intended purpose, as shown in Table 1.
- The SPECIAL attribute, or
- Sufficient authority to the IRR.DIGTCERT.DELETE resource in the FACILITY class, as shown in Table 1, or
- Sufficient authority to the appropriate resources in the RDATALIB class, as shown in Table 2, if Granular Authority Checking has been enabled by defining the IRR.RACDCERT.GRANULAR resource in the RDATALIB class.
- If the certificate you are deleting has a key stored in the ICSF PKA key data set (PKDS), you must have READ access to the CSFIQF and CSFPKRD resources.
- If the certificate you are deleting has a key stored in the ICSF Token Data Set (TKDS), you must have READ access to the CSFIQF and CSF1TRD resources.
For details about the CSFSERV resources, see z/OS Cryptographic Services ICSF Administrator's Guide.
Access level | Purpose |
---|---|
READ | Delete your own certificate. |
UPDATE | Delete another user's certificate. |
CONTROL | Delete a SITE or CERTAUTH certificate. |
READ access to the resource based on cert owner and cert label * | Purpose |
---|---|
IRR.DIGTCERT.<cert owner>.<cert label>.UPD.DELETE | Delete a certificate under <cert owner> with specified <cert label> |
Activating your changes
If the DIGTCERT or DIGTRING class is RACLISTed, refresh the classes to activate your changes.
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
Related commands
- To add a certificate, see RACDCERT ADD (Add certificate).
- To alter a certificate, see RACDCERT ALTER (Alter certificate).
- To list a certificate, see RACDCERT LIST (List certificate).
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT DELETE command is:
|
If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.
If you do not specify a RACDCERT function, LIST is the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- DELETE(LABEL('label-name'))
- DELETE(SERIALNUMBER(serial-number) ISSUERSDN('issuer's-dn'))
- If
the user has only one certificate, the SERIALNUMBER and ISSUERSDN
keywords, or the LABEL keyword, and their associated values can be
omitted. If the user has more than one certificate the LABEL, SERIALNUMBER,
or SERIALNUMBER and ISSUERSDN must be used to select which certificate
to delete.
When specifying the issuer's distinguished name or the label, you must specify any mixed-case or blank characters exactly as they appear in the output of the RACDCERT LIST command for the certificate.
Restriction: The ISSUERSDN keyword is not supported for lengthy issuer's distinguished names when the name of the certificate's DIGTCERT profile contains a certificate hash value. For more information about DIGTCERT profile names, see the "Purpose" topic of RACDCERT ADD.
For a description of label-name, see the description of the WITHLABEL keyword for RACDCERT ADD.
- FORCE
- Specifies that RACF should bypass the following error checking
and unconditionally perform the delete operation. If you do not specify FORCE to bypass these conditions, an error message is issued and the command ends:
- The certificate being deleted has been used to generate a request through RACDCERT GENREQ.
- The private key associated with the certificate is a secure key in the PKDS or TKDS, but it no longer exists.
Note: Use this keyword with caution to force the deletion of a certificate. - ID(certificate-owner) | SITE | CERTAUTH
- Specifies that the specified certificate is either a user certificate associated with the specified user ID, a site certificate, or a certificate-authority certificate. If you do not specify ID, SITE, or CERTAUTH, the default is ID, and certificate-owner defaults to the user ID of the command issuer. If more than one keyword is specified, the last specified keyword is processed and the others are ignored by TSO command parse processing.
Examples
|