Discussion:
Self Signed Certificate - Import Root Chain
Add Reply
Gilson Cesar de Oliveira
2018-05-03 11:19:14 UTC
Reply
Permalink
Raw Message
Dear list:

I'd like to hear from this group, which way we have to follow in order to add in RACF the root chain from external partners that have encrypted connections but using self signed certificate.

I will describe the three ways we have imported the root chain:



1- Add the certificate with "Certificate Owner" = CERTAUTH and the CONNECT with the option USAGE=CERTAUTH.

RACDCERT CERTAUTH ADD('DSN.ROOT') +
WITHLABEL('External Root') TRUST
RACDCERT CONNECT(CERTAUTH LABEL('External Root') +
RING(RingName) USAGE(CERTAUTH)) ID(userid)



2-Add the certificate with "Certificate Owner" = userid and the CONNECT with the option USAGE=PERSONAL.

RACDCERT ID(userid) +
ADD('DSN.ROOT') +
WITHLABEL('External Root') +
TRUST
RACDCERT ID(userid) CONNECT(LABEL('External Root') +
RING(RingName) USAGE(PERSONAL))



3- Add the certificate with "Certificate Owner" = userid and the CONNECT with the option USAGE=CERTAUTH

RACDCERT ID(userid) +
ADD('DSN.ROOT') +
WITHLABEL('External Root') +
TRUST
RACDCERT ID(userid) CONNECT(LABEL('External Root') +
RING(RingName) USAGE(CERTAUTH))

All the options we have tested worked fine but I'd like to know if there is a standard way to add/import the certificate.
If the certificate is from an external CA like Symantec, Digicert, Certisign, etc. the process is the same or do we have to follow another way to import the root chain certificate ?

Thanks in advance for any help.

Regards,

Gilson Cesar


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
2018-05-03 12:43:15 UTC
Reply
Permalink
Raw Message
Post by Gilson Cesar de Oliveira
I'd like to hear from this group, which way we have to follow in order to add in RACF the root chain from external partners that have encrypted connections but using self signed certificate.
You should also post your question on RACF-L. You certainly will get great help from the Certificate gurus there.
Post by Gilson Cesar de Oliveira
1- Add the certificate with "Certificate Owner" = CERTAUTH and the CONNECT with the option USAGE=CERTAUTH.
2-Add the certificate with "Certificate Owner" = userid and the CONNECT with the option USAGE=PERSONAL.
3- Add the certificate with "Certificate Owner" = userid and the CONNECT with the option USAGE=CERTAUTH
After all these actions, did you checked that the full chain is valid?

RACDCERT ID(<??>) LISTCHAIN(LABEL('??'))

... and also this:

RACDCERT LIST ID(<??>)
RACDCERT LISTRING(*) ID(<??>)
Post by Gilson Cesar de Oliveira
All the options we have tested worked fine but I'd like to know if there is a standard way to add/import the certificate.
There is one standard - none. ;-)

Ok, seriously, I believe some people have some SHARE presentations and Redbooks about Certificates. Perhaps you should ask on RACF-L about this.

But some notes - no SHA1 please. You will soon find out...

Other notes, try to have the highest keysize if you can and check the validity period again after receiving the certs back. Some has 1 year, others only 90 days, but if your CA is friendly enough or you paid them good money, you may get 2 years or longer.
Post by Gilson Cesar de Oliveira
If the certificate is from an external CA like Symantec, Digicert, Certisign, etc. the process is the same or do we have to follow another way to import the root chain certificate ?
It depends how you create and send out a CSR and how they send the certificate(s) back to you. Did they send back the certs and then you have to build up a PKCS #12 file (or other type?) using the private part of your CSR, CA Cert and CA Root Certs?

So many things to consider.... Good luck!

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
2018-05-03 12:49:18 UTC
Reply
Permalink
Raw Message
Post by Gilson Cesar de Oliveira
I'd like to hear from this group, which way we have to follow in order to add in RACF the root chain from external partners that have encrypted connections but using self signed certificate.
I forgot to ask, how did you or external partners created that Self Signed Cert? Did you involved the external partners or a CA?

Where are those CA Certs and the Root Certs coming from? Selfsigned by the partners or from a CA?

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Lizette Koehler
2018-05-03 13:25:28 UTC
Reply
Permalink
Raw Message
If you have not done so, the RACF List may also be able to offer suggestions/advice

To join, go to this URL

RACF http://www.listserv.uga.edu/archives/racf-l.html

Lizette
-----Original Message-----
Gilson Cesar de Oliveira
Sent: Thursday, May 03, 2018 4:21 AM
Subject: Self Signed Certificate - Import Root Chain
I'd like to hear from this group, which way we have to follow in order to
add in RACF the root chain from external partners that have encrypted
connections but using self signed certificate.
1- Add the certificate with "Certificate Owner" = CERTAUTH and the CONNECT
with the option USAGE=CERTAUTH.
RACDCERT CERTAUTH ADD('DSN.ROOT') +
WITHLABEL('External Root') TRUST
RACDCERT CONNECT(CERTAUTH LABEL('External Root') +
RING(RingName) USAGE(CERTAUTH)) ID(userid)
2-Add the certificate with "Certificate Owner" = userid and the CONNECT with
the option USAGE=PERSONAL.
RACDCERT ID(userid) +
ADD('DSN.ROOT') +
WITHLABEL('External Root') +
TRUST
RACDCERT ID(userid) CONNECT(LABEL('External Root') +
RING(RingName) USAGE(PERSONAL))
3- Add the certificate with "Certificate Owner" = userid and the CONNECT with
the option USAGE=CERTAUTH
RACDCERT ID(userid) +
ADD('DSN.ROOT') +
WITHLABEL('External Root') +
TRUST
RACDCERT ID(userid) CONNECT(LABEL('External Root') +
RING(RingName) USAGE(CERTAUTH))
All the options we have tested worked fine but I'd like to know if there is a
standard way to add/import the certificate.
If the certificate is from an external CA like Symantec, Digicert, Certisign,
etc. the process is the same or do we have to follow another way to import
the root chain certificate ?
Thanks in advance for any help.
Regards,
Gilson Cesar
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...