Let me do my best here. Yes, you can generate a CSR, typically including multiple SANs, with OpenSSL (any platform), gskkyman, or even on a CA Web site (or in the case of an in-house CA, using their certificate management tools).
Yes, you should be able to import that certificate when signed and its private key into RACF. Check out RACDCERT IMPORT. There is a risk in having the private key floating around in e-mails or whatever. It is supposed to be private after all. I don't know health checker at all but I would ber very surprised if it "discriminated against" certificates imported from elsewhere. It supports CA certificates, right? They are pretty much always imported. >And I simply don't see why RACF could not be made to generate more than >one SAN. Will that change with z/OS 3.1? The people who actually know about such things seem to indicate that IBM is quite content with the current state of affairs. Could it change? Yes. Will it? I doubt it. I believe IBM markets "extra cost" tools that support this functionality. Charles On Thu, 8 Jun 2023 05:29:41 -0500, Michael Babcock <bigironp...@gmail.com> wrote: >Our corporate certificate management folks are now mandating that all >Subject Alternate Names be placed in the CSR. That's a problem for >RACF which cannot add more than one SAN (we are at z/OS 2.5). How do >others generate the CSR? If we generate a cert say in USS, using >openssl or gskkyman, send that off to our local certificate folks, get >back a certificate, then what? I assume we will need to export that >cert (along with it's private key) and import that cert into RACF. The >export/import process is what I'm unsure of. > >I also use the z/OS Health Checker to see which RACF Certs are expiring >in the next 60 days. Will importing a certificate not created in RACF >cause the cert to not show up in the HC? > >And I simply don't see why RACF could not be made to generate more than >one SAN. Will that change with z/OS 3.1? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
