What Determines Whether A Certificate Is A Duplicate In CA Top Secret?

Document ID : KB000016072
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How does CA Top Secret determine if a duplicate certificate exists on the security file.

Question:

I had a problem creating a digital certificate to use for authentication to a non-z/OS server platform.

We are in the process of adding a number of certificates that will be used for authentication between the mainframe and servers and need to know how to create them correctly so we can establish a standard to create working certificates in a predictable way.

When creating the certificate in CA Top Secret with the TSS GENCERT command, the DIGICERT and LABEL keyword values did not match an other certificate. However, the Distinguished Name value in SUBJECTN keyword, the server name, did.

I was only able to add the certificate after removing it from the ACID that already had the same SUBJECTN value.

What determines whether a certificate is a duplicate?

Answer:

The following determines whether the certificate is a duplicate:

  1. The subject distinguished name ***AND*** issuer distinguished name should be unique. There should be no other certificate with the same subject distinguished name ***AND*** issuer distinguished name.

  2. The DIGICERT name should also be unique.

  3. The LABLCERT must be unique for each owning acid. Example. You can't have two certificates owned by USERA with the same LABLCERT.

You can have a duplicate LABLCERT as long as the owning acids are different.

Example:

USERA has a DIGICERT name of CERTA with LABLCERT(JOE) and USERB has a DIGICERT name of CERTB with LABLCERT(JOE).