We need to create a certificate request to be sent to a CA and after that it will be published in our website, so other companies can download it and use it to communicate us with some data transfer applications. As far that I know, a certificate signing request (CSR) is assembled with one of ours public keys and a digital signature (hash value encripted with our paired private key). RACF tool and SSL libraries for z/OS provide two ways to generate a Certificate Request without need of going deep. But: 1) RACF tool, called RACDCERT, offers a GENREQ function that allows me to create a certificate request but unhappily this certificate request must be based on an already existing certificate created by the GENCERT function, which also generates a key pair. So I have not much control over key creation and cannot point it to use my already existant PKDS keys. 2) Certificate Management Services (CMS) provide SSL library function gsk_create_certification_request() to create a CSR, but it also generates a new key pair. There is another function, called gsk_create_renewal_request () that seems to allow the input public and private key references to be used to assemble the CSR, but there is no mention if it may look on the PKDS for them. So, what I want here is to create a certificate request based on an already existing pub/private key pair stored on our PKDS, just pointing to their labels and supplying some extra parameters (like those distinguished names, which message digest and assimetric algorithms are used for the digital signature, etc.). But I see no ICSF callable service allowing me to do this.
Looks like ICSF and SSL support on z/OS are two different worlds aimed for security purposes, but they do not communicate very well. What can I do? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
