IBM Security Z Security

 View Only
  • 1.  DIGITAL CERTIFICATE QUESTIONS

    Posted Wed May 19, 2021 12:06 PM

    RACF CERTIFICATE QUESTIONS                 

    Recently, we updated a certificate, and we did not realize that 'under the covers' RACF changed the intermediate certificate in the chain from the older DIGICERT intermediate to the newer DIGICERT intermediate certificate.  My first question is:  when two intermediate (and still 'active') certificates exist in the RACF keystore, how does RACF determine which one to place in the chain?

    My second question is: can we control the above if we always place the intermediate and root certificates into the keyring along with the personal certificate?



    ------------------------------
    Richard Klatt

    ------------------------------


  • 2.  RE: DIGITAL CERTIFICATE QUESTIONS

    InnerCircle
    Posted Thu May 20, 2021 04:02 AM
    Could you describe what you mean by "updated" a certificate?  If it was externally signed by Digicert, did you load in a PKCS#7 format, or just the signed cert itself?  Did you generate new public-private key pair and a CSR from it (GENCERT, GENREQ) to be able to get it signed by Digicert, and then update (ADD) it back in to the same label?  Before you started, did you already have both the older and newer intermediate certs installed in RACF as CERTAUTH, or just the older one?

    The circumstances you started with, just before you did the "update", and how you did the update, could provide the explanation as to what you saw happen, but there may be different explanations depending on your path.  Let us know please.  Thanks.

    ------------------------------
    Scott Tietjen CISSP
    ------------------------------



  • 3.  RE: DIGITAL CERTIFICATE QUESTIONS

    Posted Fri May 21, 2021 05:06 PM
    Richard, would you take a look at https://www.ibm.com/support/pages/apar/OA59912?

    ------------------------------
    Wai Choi
    ------------------------------