Is there a simple way to List Digital Certificate Extensions?

Document ID : KB000025519
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

Is there a report or utility that will show if a certificate has any extensions?

Answer: 

CA ACF2 has a utility report called SAFCRRPT that can provide this information, and more, about the digital certificates and keyrings in the CA-ACF2 INFOSTG database. Here are examples of the JCL and parameters that could be used for that report.

To list the extensions in a certificate:

//jobname JOB account-number,'SAFCRRPT',MSGCLASS=X,NOTIFY=user  
//       EXEC PGM=SAFCRRPT,PARM='RECORDID(USRTI01)'     
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DETAIL EXT                                                         
//REC0001  DD DSN=SYS1.MAN4,DISP=SHR                           
//* 
                                                                        
 
Report Parameters:                  
     RECORDID(USRTI01) DETAIL EXT       
 
Record id - USRTI01.DSACA              Signed by:  None - Self-Signed           
          Label           USRTI01.DSACA                                         
          Serial #  -     00                                                    
          Issuer  DN -    CN=DSA Certificate Signer.T=DSA Tests.OU=CA.O=QA.L=Plano.ST=TX.C=US                                       
          Subject DN -    CN=DSA Certificate Signer.T=DSA Tests.OU=CA.O=QA.L=Plano.ST=TX.C=US                                       
          Active Date     2006/06/20                                            
          Expire Date      2030/12/31                                            
        Extensions      keyUsage                                                  <---Extensions for this cert                                              
                                   basicConstraints                                      
                                   Netscape certificate comment                          
                                   subjectKeyIdentifier                                  
          Public Key      0000  3081F130 81A80607 2A8648CE 38040130             
                                0010  819C0241 009CCDBC 777139A5 483E5C33             
                                0020  A59DCA12 0B973439 9DF20125 D348921D             
                                0030  0CB98365 458FE1B9 477289ED FFFDB6C4             
                                0040  5FB72C80 02063295 70DAC55C F9C7CF90             
                                0050  129649E5 D9021500 D523EEE1 E3F462CD             
                                0060  D670146B 2BBB2846 FA61423D 02407A9E             
                                0070  59340070 925725BA F65AD7CD 86170C84             
                                0080  5D6D8513 CE0B9DA9 722EBFA4 374D76A0             
                                0090  CAEBF1FE 2A06E691 3E2A984B DD976D9B             
                                00A0  F092B0A3 646FC42F 918D63B7 4BE50344             
                                00B0  00024100 8D3E1B12 01EA623B D725E762             
                                00C0  58ADAA3D A80A98CE 4E301F08 42AA86C6             
                                00D0  1AD9E297 CDB4E290 390B0CE9 AD0711BF             
                                00E0  F371DB3E 251949D7 9A8C9F1E E3318D71             
                                00F0  6BBC3A91                                        
          Signer of -     USRTI01.DSA1      USRTI01.DSA4      USRTI01.SOTEDSA

Additional Information:

Details on the SAFCRRPT can be found in the CA ACF2 for z/OS Reports and Utilities Guide in Chapter 24 "Other eTrust CA-ACF2 Utilities".