CA XCOM Creating Certificates on a Partner using the same Root Certificate

Document ID : KB000009506
Last Modified Date : 14/02/2018
Show Technical Document Details

How to Create Certificates on a CA XCOM Partner using the same Root Certificate.


I know I must have the same root certificate on all the platforms. How do I accomplish that? I have already created my certificates on my PC. The directory structure is different on the various machines.


Once you have created the root certificate on your machine, you can create certificates using that root for your partners. The files required for the root certificate are cassl.pem and casslkey.pem.

  1. Go to the partner system 

  2. Edit the configssl.cnf, cassl.conf, clientssl.conf, and serverssl.conf configuration files and specify the directory path for this machine.

  3. On the partner system run makeca only. This will create the CERTS and PRIVATE directories with the cassl.pem and casslkey.pem files.

    NOTE: You must run the makeca on this machine because it generates the random.pem file. Without that file file transfers will not work 

  4. Now you can either perform a CA XCOM transfer from that partner to RECEIVE the cassl.pem and casslkey.pem file from your machine and it will overwrite the ones just created earlier. This is a non-SSL transfer and the encoding should be BINARY OR ASCII (See Special Considerations when Transferring the Root Certificate Below).

    Alternatively you can use FTP to transfer the files from the machine on which you created the files. 

  5. Run the list scripts (i.e. listca, listserver, listclient) to verify that the certificates were transferred correctly
Note: You need to repeat this procedure for every partner that will be sending and receiving encrypted transfers.

Special Considerations when Transferring the Root Certificate

The end of line sequence is different on Windows than on UNIX and Linux.

If the partners are UNIX or Linux and z/OS then create the cassl.pem and casslkey.pem files first on UNIX or Linux. This way you can transfer them from UNIX or Linux in ASCII mode. The files are in text mode and they will transfer successfully

If the partners are Windows and z/OS and you create the certificates initially on Windows you will then need to do the following:

  1. Open the cassl.pem file to be sent in Wordpad

  2. In Wordpad do a File/Save As. Give the certificates a new name and save it in text format, you will get a message that the file is being written in a text only format and you will need to say YES/OK to continue.

  3. Wordpad will also append a .txt extension to the saved certificate.

  4. Repeat for the casslkey.pem file

Once you have saved the certificate files you can transfer them to z/OS as ASCII files

NOTE: This is required because  the Windows certificates have an end of line sequence which is a carriage return, linefeed (x0D x0A). With Unix or Linux there is an end of line character which is linefeed (x0A). So, before you send the certificates to z/OS you need to use some utility that will convert the linefeeds to carriage return line feeds. In the example above, it is the Windows Wordpad Utility.