CHKCERT Subcommand

The CHKCERT subcommand is used to display information about an X.509 certificate in a CERTDAT profile record or z/OS data set. Information includes whether the certificate is registered with CA ACF2.
acf2src
The CHKCERT subcommand is used to display information about an X.509 certificate in a CERTDAT profile record or z/OS data set. Information includes whether the certificate is registered with CA ACF2. The certificate can be in one of the following formats:
  • DER-encoded, which is in binary form
  • PEM form which is base-64-encoded
  • PKCS #12, which includes the private key that is associated with the certificate.
CHKcert {logonid label(label)|logonid.suffix|DSname(data-set-name)} [Password(password)] [Nolist] [Dump] [Chain]
Example: Display a certificate
Display a certificate that is contained in a data set or in a CERTDATA user profile record:
CHKCERT DSN('frank01.mycert') NOLIST CHKCERT frank01.cert DUMP CHKCERT certauth label(Audit CA)
Display information about the certificate in the FRANK01.MYCERT data set.
CHKCERT DSN('frank01.mycert')
  • logonid Label(
    label
    )
    Indicates the CA ACF2 user whose label is used to specify which CERTDATA record containing the certificate is displayed. For every one apostrophe in the label value, two consecutive apostrophes must be specified. For example, the label value
    Frank's Certificate
    should be specified as,
    Frank”s Certificate
    . If a single apostrophe is specified in the label value, the value is considered invalid.
  • logonid.suffix
    Indicates the CA ACF2 record id of the CERTDATA record containing the certificate that is displayed.
  • DSname(data-set-name)
    Indicates the name of the data set containing the certificate to be checked. If the data set name is enclosed in single quotes, it is considered fully qualified and is used as specified. Otherwise, the user's prefix, as specified by the TSO PROFILE PREFIX command, is added to the front of the data set name.
  • Password(
    password
    )
    Indicates the password that is associated with a PKCS #12 certificate. This value must be the same password that was specified when the certificate was exported. If you specify PASSWORD without a value and you are in an environment where CA ACF2 can prompt you, you are prompted for the password in a non-display field.
  • Nolist
    Indicates that the CERTDATA profile record should not be listed, even if the certificate is registered with CA ACF2.
  • Dump
    Indicates to display a hex dump of the certificate before listing the contents of the certificate.
  • Chain
    Instructs the command to display the certificate information for each certificate in the chain. The parameter also applies if the DSNAME was specified instead of the record id. In that case, each certificate in the chain in the input data set is displayed.
    Summary information follows the display. The summary indicates:
    • The number of certificates in the chain
    • An indication if the chain is complete or incomplete,
    • An indication if the chain contains expired or non-trusted certificates.
    If CHKCERT is run against a certificate in the database, the key rings that are common between all certificates in the chain are listed.
    Chain Information:
    • Contains two certificates.
    • Is COMPLETE.
    • Contains EXPIRED certificates.
    • Contains NOTRUST certificates.
    • Contains common ring - PKISRVD.CARING.
    • Contains common ring - TESTING.RING1.
    If CHKCERT is run using the DSNAME parameter, a message is added to the summary when a certificate in the data set is not present in the CA ACF2 database.
    • Chain contains certificates not in the database.