Exporting certificates
How to export a certificate using Internet Explorer 7 for use with:
Expedite Base/MVS 4.6.1
We want the new client certificate, the new root CA and the old root CA to co-exist in the key database until July 9, then the new root CA will be the only one used.
1 – In Internet Explorer pull down Tools, select Internet Options, click tab Content:
2 - Highlight the certificate you wish to export and click "Export..." (the issued to should say “PKI Service Root CA2”
3 - Click "Next >"
4 -Check "Yes, export the private key" and click "Next >"
5 - Check "Personal Information Exchange - PKCS #12 (.PFX)"
Make sure that "Include all certificates in the certification path if possible" is selected
Make sure "Enable strong protection (requires IE 5.0, NT 5.0 SP4 or above)" is selected
Make sure "Delete the private key if the export is successful" is NOT selected.
Click "Next >"
6 - Choose a password for the file and click "Next >"
NOTES:
- Make a note of this password; it can NOT be retrieved from the certificate.
Internet Explorer will allow you to export a certificate without protecting it with a password. Do NOT do this;
7 – Click browse:
Go to the directory where you want to save the certificate, specify a name for the certificate and click "Save", which will bring you back to the previous screen, then click “Next >”
NOTES:
- Make sure you remember where you saved the certificate.
- Give the certificate a useful name that distinguishes it ( the word “certificate” might be a bit vague)
8 - Click "Finish"
9 - Click "OK"
There’s an Expedite Base/MVS 4.6 manual which can be downloaded here:
On pages 185-188 (.pdf pages 201-204) it shows how to export the certificate. It’s important to export it like is shown there.
- Make sure "Yes, export the private key" is selected in step 4.
- Also ensure that both "Include all certificates in the certification path if possible" and "Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)" are ticked in step 5
On page 188 (.pdf page 204) in step 8 it’s important to:
- Set the record length of the z/OS mounted HFS file to 2500.
- FTP the .pfx file as BINARY (see also next page).
If you prefer to use a KEYRINGSTASHFILE instead of a KEYRINGPASSWORD you can use option 10 on screen Key Management Menu, Database: /u/user1/ ExpKeyDB.kdb on page 190 (.pdf page 206) which says 10 – Store database password. That creates the KEYRINGSTASHFILE.
FTP’ing the .pfx as BINARY from the PC to the MVS is done like this:
FTP xxx.xxx.xxx.xxx(amend as appropriate)
Sign on with your account/userid(amend as appropriate)
cd ..
cd /u/sharisc/(amend as appropriate)
binary
put certificate.pfx(amend as appropriate)
quit
NOTE: Do not put the binary parameter on the put command as it will result in the following error later when you attempt to create the keyringdatabase file:
Unable to import certificate and key.
Status 0x03353020 - Unrecognized file or message encoding.
From
03353020 Unrecognized file or message encoding.
Explanation:
A file or message cannot be imported because the format is not recognized.
System SSL supports X.509 DER-encoded certificates, PKCS #7 signed data messages, and PKCS #12 personal information exchange messages for certificate import files. The import file data may be the binary data or the Base64-encoding of the binary data.
System SSL supports PKCS #7 data, encrypted data, signed data, and enveloped data for messages. This error can also occur if the message is not constructed properly.
User response:
Ensure that the import file or message has not been modified. A Base64-encoded import file must be converted to the local code page when it is moved to another system while a binary import file must not be modified when it is moved to another system.
Storing the certificate in an existing key database
The first step is to log on to USS. You will use the IBM-supplied program gskkyman to manage
your keys and certificates. A sample session is shown below.
Opening a key database
- From USS, invoke the gskkyman utility by typing gskkyman.
The Database Menu displays.
- On the Enter option number line, type 2.
- Enter the key database name of your existing key database. This field is case sensitive,
so make sure to type the name correctly. For example, you might type ExpKeyDB.kdb.
- Type the database password.
The key database is opened.
Continue with the steps in the next section.
Importing your certificate
Once you have opened the key database, you are ready to import your new certificate into it. You will
need the name and location of the pfx file that you sent by FTP to your z/OS machine.
When you press Enter in Step 4 of the previous procedure, the Key Management Menu displays.
1. Type 8 to Import a certificate and a private key and press Enter.
2. Type the import file name. This is the name you used when you sent the file by FTP to your
z/OS system.
3. Type the import file password.
4. Type the certificate label, such as ExpditeCert2011, and then press Enter.
The following message displays: Certificate and key imported. Press Enter and continue with the
instructions in the next section.
Setting the default certificate
You must set the certificate that you just imported as the default certificate.
1. On the Key Management Menu, type 1 and press Enter.
The Key and Certificate List screen displays.
2. Type the number next to the certificate label you just importedand press Enter. I am selecting option 2 as this was my new certificate.
The Key and Certificate Menu displays.
3. Type 3 and press Enter.
The following message displays: Default key set.
4. Press Enter.
The Key and Certificate Menu displays.
5. On the Enter option number line, type 4.
6. On the Enter 1 if trusted line, type 1 and press Enter.
The following message displays: Record updated.
7. Press Enter to continue.
You should now have your existing key database containing both the old and the new client certificates and CA certificates. You should be able to use your existing job to run a session.