Sample JCL to create a self-signed certificate for CA ACF2


Use the following sample JCL to create a self-signed certificate for use with CA ACF2:

[yourJobCardHere]
//ACFJOB EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSLBC DD DISP=SHR,DSN=yourDataSetName
//SYSHELP DD DISP=SHR,DSN=yourDataSetName
//SYSIN DD *
 SET PROFILE(USER) DIV(CERTDATA)

 GENCERT yourUserID SUBJSDN(CN='yourServerCom' -
         OU='yourOrganizationalUnit' O='yourOrganization' -
         L='yourLocality' SP='yourState' C='yourCountry') -
         SIZE(2048) LABEL('yourLabelHere') -
         KEYUSAGE(HANDSHAKE) -
         ALTNAME(DOMAIN=yourSampleDomainCom) -
         PCICC PKDSLBL('yourPkdsLabelHere')
//

The following information explains this JCL:

Statement

Description

yourUserID

User ID with which you want to associate the certificate

The following guidelines apply to the user ID:

  • If you use the same user ID for multiple certificates, CA ACF2 appends suffixes to your ID as described in the CA ACF for z/OS Administrator Guide.
  • If the sample CA ACF2 JCL requires specifying a user ID as the first parameter of a command, include a suffix if one is associated with that certificate.
  • Instead of specifying a user ID, consider using the CERTAUTH or SITECERT parameter. For more information, see the CA ACF for z/OS Administrator Guide.

SUBJSDN

Combination of subparameters that describes the entity for which the certificate is being created

This example uses the system on which you will run UIM.

  • CN (Common Name)
    The value that applications such as web browsers will use to determine whether the certificate was created for the server that is presenting it.
    If this value does not match the result of DNS lookups, most applications will issue a warning, or prevent the connection completely. This value can include an asterisk wildcard. For example, '*.bmc.com' is valid.
  • OU (Organizational Unit)
    The name of your organization, within your enterprise
  • O (Organization)
    The name of your enterprise
  • L (Locality)
    Generally, the city in which your enterprise is headquartered
  • SP (State)
    Generally, the state or province in which your enterprise is headquartered
  • C (Country)
    Generally, the two-letter country code in which your enterprise is headquartered

SIZE

Size (in bits) of the private key that is generated and associated with this certificate

The certificate contains a corresponding paired public key that is generated at the same time. Larger keys are more secure. This number is not arbitrary and there are a few predefined values. If you want to change the value, you might also need to change the method used to generate and store the key (PCICC in this example). For more information, see the CA ACF2 documentation.

LABEL

Unique identifier that CA ACF2 uses for your certificate

PCICC PKDSLBL

Type of key to create (specified by the PCICC parameter), and whether this key should be stored in the ICSF Private Key Data Store or PKDS (specified by the PKDSLBL subparameter)

The label that you provide is a unique identifier that CA ACF2 uses to identify your private key.

KEYUSAGE

Declaration of the purpose of this key

You can use keys for a number of purposes, but you must declare them when creating the key. Because this key will be used only for the security handshake (a step in the SSL/TLS protocol), HANDSHAKE is the appropriate value.

Tip

You might find it useful to define multiple URLs for which your certificate is valid. Certificates can contain Subject Alternate Name (SAN) values. The GENCERT command allows you to specify any number of these by including one or more ALTNAME parameters:

ALTNAME(DOMAIN=yourDomainHere)

Do not add quotation marks to yourDomainHere. The value is included in the generated SAN value, and quotation marks would make the SAN value incorrect.

Related topic

Creating-SSL-TLS-certificates-for-use-with-UIM-or-MVE

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*