TSS adds an extension to the certificate telling that CA SAF genned this cert.
Inorder to see this the client needs to run the CA Top Secret SAF cert utility.
//SAFRPTCR EXEC PGM=SAFCRRPT,REGION=0M,PARM=''
//SYSUDUMP DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
RECORDID(-) detail ext
Then find the cert in question and look at the extension section. If CA SAF genned the cert, one
will, see this:
Extensions X509v3 Key Usage
X509v3 Basic Constraints
>>>>> Generated by CA SAF Certificate Management Facility <<<<<<<<