RACDCERT LIST (List certificate)
Purpose
Use the RACDCERT LIST command to display digital certificate information, including certificate authority and site certificate information. You can also use the RACDCERT LIST command to list all certificates owned by a user ID.
Because the virtual key ring for a user ID consists of all certificates owned by the user ID, using the RACDCERT LIST command to list all certificates owned by a user ID is the same as listing the contents of the virtual key ring for that user ID.
- Label
- Certificate ID
- Status (trusted, not trusted, or highly trusted)
- Validity dates
- Serial number
- Issuer's distinguished name
- Up to 256 bytes of the subject's name, as found in the certificate itself
- Signing algorithm (md2RSA, md5RSA, sha1RSA, sha1DSA, sha256DSA, sha256RSA, sha224RSA, sha224DSA, sha384RSA, sha512RSA, sha1ECDSA, sha256ECDSA, sha224ECDSA, sha384ECDSA, sha512ECDSA or UNKNOWN if none of the preceding)
- Extensions, if present (specifically,
keyUsage
andsubjectAltName
) - Key type:
- RSA (if the certificate was installed in RACF with no key type specified or with keyword RSA)
- RSA Mod-Exp (if the certificate was installed in RACF with keyword ICSF)
- DSA (if the certificate was installed in RACF with keyword DSA)
- NIST ECC (if the certificate was installed in RACF with keyword NISTECC)
- Brainpool ECC (if the certificate was installed in RACF with keyword BPECC)
- Key size
- Presence of a private key (YES or NO)
- PKDS label, if the public or private key is stored in the ICSF PKA key data set (PKDS); TKDS token and TKDS ID, if the private key is stored in the ICSF Token data set (TKDS)
- Ring associations, if present (the ring name to which this certificate is connected and the ring owner)
See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate names are displayed using RACDCERT functions.
Issuing options
As a RACF® TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | No | No. (See rules.) | No. (See rules.) | No |
- The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
- The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.
Authorization required
IRR.DIGTCERT.LIST | |
---|---|
Access level | Purpose |
READ | List your own certificate. |
UPDATE | List another user's certificate. |
CONTROL | List SITE or CERTAUTH certificates. |
Related commands
- To list a key ring, see RACDCERT LISTRING.
- To list a token, see RACDCERT LISTTOKEN.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT LIST command is:
|
If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.
If you do not specify a RACDCERT function, LIST is the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- LIST(LABEL('label-name'))
- LIST(SERIALNUMBER(serial-number) ISSUERSDN('issuer's-dn'))
-
If the RACDCERT command is issued with no other operands, LIST is the default and the RACDCERT command lists the command issuer's digital certificate information. If the RACDCERT command is issued with the ID keyword and no other operands, it lists the digital certificate information associated with the user ID specified with the ID keyword.
The issuer's distinguished name and the subject's distinguished name can contain blanks. If the name displayed in the output is subsequently entered with the ISSUERSDN keyword, the blanks must be included. In the output of LIST, the characters
>
and<
are used to mark the beginning and end of the serial number, issuer's name, and subject's name. When information continues to the next line,<
appears in column 79 of the output, and>
appears in column 9 of the continuation line.If the user has only one certificate, or if all certificates are to be displayed, the SERIALNUMBER and ISSUERSDN keywords, or the LABEL keyword, and their associated values can be omitted. If the user has more than one certificate the LABEL, SERIALNUMBER, or SERIALNUMBER and ISSUERSDN can be used to select which certificate to list.
When specifying the issuer's distinguished name or the label, you must specify any mixed-case or blank characters exactly as they are defined in the certificate.
Restriction: The ISSUERSDN keyword is not supported for lengthy issuer's distinguished names when the name of the certificate's DIGTCERT profile contains a certificate hash value. For more information about DIGTCERT profile names, see the "Purpose" topic of RACDCERT ADD.
For a description of label-name, see the description of the WITHLABEL keyword for RACDCERT ADD.
If present, the SubjectAltName values are displayed under the heading Subject's AltNames. The subheadings IP, EMail, Domain, and URI are followed by their first value. If more than one line is required to display the value, the additional lines will start in the same column. The word
at
replaces the@
symbol for email-address.Example:EMail: JRoenick at US.Mycompany.Com-More-Info-About-An-EMail-Addr ess-follows-Some-More-Info-About-An-EMail-Address
If present, thekeyUsage
values are displayed next to the heading Key Usage. The possible values are:- HANDSHAKE - indicates digitalSignature and keyEncipherment are on
- DATAENCRYPT - indicates dataEncipherment is on
- DOCSIGN - indicates nonRepudiation is on
- CERTSIGN - indicates keyCertSign and cRLSign is on
- KEYAGREE - indicates keyAgreement is on
keyUsage
values are displayed as GENCERT options separated by commas.Example:Key Usage: HANDSHAKE, CERTSIGN
Note: If the certificate was created using a previous z/OS release of RACF that did not support certificate labels, the certificate listing will contain the following output:No label assigned
- ID(certificate-owner) | SITE | CERTAUTH
- Specifies that the certificate to list is either a user certificate associated with the specified user ID, a site certificate, or a certificate-authority certificate. If you do not specify ID, SITE, or CERTAUTH, the default is ID, and certificate-owner defaults to the user ID of the command issuer. If more than one keyword is specified, the last specified keyword is processed and the others are ignored by TSO command parse processing.
Examples
|