Setting up a Certificate Authority

If you need to set up a Certificate Authority (CA) before you create and export certificates then you need to execute the following commands on the mainframe. You need to modify these commands depending on your particular configuration and requirements:

  1. Create the certificate authority and its certificate:
    RACDCERT GENCERT CERTAUTH SUBJECTSDN(CN('common-name')) SIZE(key-size) +
        NOTAFTER(DATE(yyyy-mm-dd)) WITHLABEL('label-name') 
    
  2. Generate a certificate for MFA and the z/Server STC:
    RACDCERT GENCERT ID(certificate-owner) SUBJECTSDN(CN('common-name')) +
        SIZE(key-size) NOTAFTER(DATE(yyyy-mm-dd)) +
        WITHLABEL('label-name') SIGNWITH(CERTAUTH LABEL('label-name'))+
        KEYUSAGE(DATAENCRYPT DOCSIGN HANDSHAKE)
    
    Note: The ID parameter needs to match the ID that the STC runs under.
  3. Create a key ring so you can attach certificates:
    ADDRING(ring-name)
  4. Connect the certificate authority to the key ring:
    RACDCERT ID(certificate-owner) CONNECT(CERTAUTH 
        LABEL('label-name') RING(ring-name))
    
  5. Connect the STC certificate created earlier to the key ring and mark it as the default:
    RACDCERT ID(certificate-owner)
        CONNECT(LABEL('label-name')
        RING(ring-name) DEFAULT)
    

At this point you can now issue the commands to create and export the certificates. See Exporting Certificates from RACF for more information.