Checking the Certificate

Before attempting to use the OpenSSL utility to make a connection to your mainframe, you should check that the certificates are in the correct format for your client application. Additionally, this allows you to check that you have the correct private key pass phrase.

At the Enterprise Developer command prompt, enter the following command: 

openssl s_client -connect <Node>:<Port> -CApath "A:\Path\To\The\servername-root-cert.pem" -cert "A:\Path\To\The\servername-user-cert.pem" -certform PEM -key "A:\Path\To\The\servername-user-key.der" -keyform DER

You must replace values in the angle brackets <> with the following:

<Node>
DNS name or IP address of the mainframe.
<Port>
The MFA port defined in AT-TLS, the default is 2020.
<"A:\path\to\the\servername-root-cert.pem">
A quoted path to the root certificate PEM file.
<"A:\path\to\the\servername-user-cert.pem">
A quoted path to the user certificate PEM file.
<"A:\path\to\the\servername-user-key.der">
A quoted path to the private key DER file.

You should have something similar to: 

openssl s_client -connect CSIMVS:20201 -CApath "C:\SSL\CSIMVS-root-cert.pem" -cert "C:\SSL\CSIMVS-MYUSER-cert.pem" -certform PEM -key "C:\SSL\CSIMVS-MYUSER-key.der" -keyform DER

If the command is successful, you would expect to see Verify return code: 0 or Verify return code: 19. A return code of 19 occurs if you are using a self-signed certificate.

Parent topic: Configuring an SSL Client Connection to a Mainframe
Related concepts
Configuring an SSL Client Connection to a Mainframe