Setting Up Certificates on the Host and Clients

The procedures in this step must be completed in order.

Procedures on the host use RACDCERT commands to create self-signed certificates. Text displayed in italic is example text. The actual values you should use depend on your environment. You can run these commands from the command prompt or use Job Control Language (JCL) scripts. For information on command parameters, see the online documentation for the RACDCERT application.

You will need to create a server certificate for all users and a client certificate for each user. The key database must be created using RACF.

To set up certificates on the host (pre-client configuration)
  1. At the server, to create the server certificate, type:

    RACDCERT ID(tcpip) GENCERT SUBJECTSDN( O('org) CN('') C('US')) SIZE('1024') WITHLABEL('server')

  2. To add the server certificate to the certificate ring, type:

    RACDCERT ID(tcpip) CONNECT(ID('tcpip') LABEL('server') RING('MyRingName') DEFAULT USAGE(PERSONAL))

  3. Still at the server, to create a file for the certificate management utility of the client computer, type:


  4. Use FTP to transfer the file created in the previous step to client computers.

  5. (Optional) If you need to create a host certificate from received text or install it manually, at each client, do the following:
    Do this
    Create a certificate from received text
    1. Copy the text of the certificate into Notepad.

    2. Delete all blank lines, and then save the text as a new file with a .cer extension.

      Any valid filename can be used. It is a common practice to save the .cer file to the Windows desktop.

    Manually install a certificate
    1. Open Internet Explorer, browse to the location of the .cer file, and then right-click the .cer file and select Install Certificate.

    2. Follow the instructions in the Microsoft Certificate Import wizard.

Each client must have a valid certificate installed. Client certificates must be stored in the Windows myCertificates store.

To acquire a certificate from a certificate server
  1. Go to your preferred certificate authority Web page and enter the appropriate data into the wizard.

    All certificate servers are slightly different. For details of each, contact your certificate server administrator.

  2. If you are not using a smart card locally, do not change the CSP setting of the certificate server wizard.


    To use a smart card, change the CSP setting for your smart card.

    Users may be required to enter the default password associated with their smart card. Passwords differ with each brand of smart card reader. Your default password can be acquired only from the provider of your smart card reader.

    Note Windows certificates can be created on the Microsoft Certificate Server or any other certificate server. Most certificate servers create and install the certificate automatically on the client or the smart card, depending on your CSP selection. In these cases, no further effort is required.

    Some certificate servers send the completed certificate as an e-mail attachment, expecting the user to install it. Other certificate servers send only the text (in an e-mail message or on a Web page) which must be manually copied into a text editor, edited, and saved as a .cer file, then installed.

To complete the set up of certificates on the host (post-client configuration)
  1. At the server, run the following pair of commands to add the client certificates to the RACF key database.

    RADCERT ID('p390a') ADD('p390a.client1.arm') WITHLABEL('client1') TRUST

    RADCERT ID('tcpip') CONNECT(ID('p390a') LABEL('client1')RING('MyRingName')USAGE(PERSONAL))

  2. Still at the server, type the following command to stop the secured port:


  3. Use the OBEYFILE parameter to make the new certificates available for use by the system, for example:


  4. (Optional) After all the certificates are defined, type the following command at the server to view a list of certificates:


    Note In the column labeled DEFAULT, the server certificate must be set to YES. All other certificates must be set to NO.