Re: Self Signed Certificate - Import Root Chain

Thu, 03 May 2018 05:45:13 -0700 

Gilson Cesar de Oliveira wrote:

>  I'd like to hear from this group, which way we have to follow in order to 
> add in RACF the root chain from external partners that have encrypted 
> connections but using self signed certificate.

You should also post your question on RACF-L. You certainly will get great help 
from the Certificate gurus there.


>1- Add the certificate with "Certificate Owner" = CERTAUTH  and the CONNECT 
>with the option USAGE=CERTAUTH.
>2-Add the certificate with "Certificate Owner" = userid and the CONNECT with 
>the option USAGE=PERSONAL.
>3- Add the certificate with "Certificate Owner" = userid and the CONNECT with 
>the option USAGE=CERTAUTH

After all these actions, did you checked that the full chain is valid?

RACDCERT ID(<??>)     LISTCHAIN(LABEL('??'))

... and also this:

RACDCERT LIST ID(<??>)        
RACDCERT LISTRING(*) ID(<??>) 


>All the options we have tested worked fine but I'd like to know if there is a 
>standard way to add/import the   certificate.

There is one standard - none. ;-)

Ok, seriously, I believe some people have some SHARE presentations and Redbooks 
about Certificates. Perhaps you should ask on RACF-L about this.

But some notes - no SHA1 please. You will soon find out...

Other notes, try to have the highest keysize if you can and check the validity 
period again after receiving the certs back. Some has 1 year, others only 90 
days, but if your CA is friendly enough or you paid them good money, you may 
get 2 years or longer.


>If the certificate is from an external CA like Symantec, Digicert, Certisign, 
>etc. the process is the same or do we have to follow another way to import the 
>root chain certificate ?

It depends how you create and send out a CSR and how they send the 
certificate(s) back to you. Did they send back the certs and then you have to 
build up a PKCS #12 file (or other type?) using the private part of your CSR, 
CA Cert and CA Root Certs?

So many things to consider.... Good luck!

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to