What is the best way to export our personal certificate with it's private key and signing chain for the certificates to deploy to the other side for use in a SSL connection?

Document ID : KB000033628
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

 

What is the best way to export our personal certificate with it's private key and signing chain for the certificates to deploy to the other side for use in a SSL connection? 

Answer:  

When deploying certificates for use in a SSL connection the ACF2, TSO, ACF EXPORT sub-command can be used to export an X.509 digital certificate from the CA ACF2 database and put it into a z/OS data set. 

 

 

With client-certificate authentication, the secret (the private key) never leaves the client and doesn't go(get deployed) to the server. Whether you 

trust the server or not (you should check that first anyway, though), your private key will not be leaked. When setting up certificates for an application 

to be used for a SSL connection for Server Authentication, the server side's Personal Server Certificate does not need to be deployed to the Client side,

only the CERTAUTH signing certificate or the signing certificate chain needs to be deployed to the Client side. 

 

If a site is deploying certificates internally from one lpar to another to setup a SSL connection then the Personal certificate with Private Key and complete CERTAUTH

certificate signing chain can be deployed using the ACF2, TSO, ACF EXPORT sub-command.

 

Your private key can be exported using the PKCS12DER or PKCS12B64 format options. Using these options will generate a PKCS #12 certificate package containing the user certificate, its private key, and all certificate-authority certificates necessary to complete the chain of certificates from user certificate to root certificate-authority certificate. 

 

By default the TSO, ACF EXPORT sub-command will not include the private key unless the PKCS12DER or PKCS12B64 format options with the PASSWORD option is specified. 

 

Notes: 

  1. The PASSWORD option is required with the PKCS12DER or PKCS12B64 format options, however if only the PASSWORD option is specified the format will default to PKCS12B64.
     
  2. For the TSO, ACF EXPORT command if the PASSWORD is not specified the private key of the digital certificate will not be exported. 

 

Additional Information: 

 

Details on the TSO ACF EXPORT sub-command can be found in the CA ACF2 for z/OS Administration Guide, Chapter 26: Digital Certificate Support, section 

'Processing Digital Certifications with CA ACF2'.