EXPORT Subcommand

The EXPORT subcommand exports an X.509 digital certificate from the CA ACF2 database and puts it into a z/OS data set.
acf2src
The EXPORT subcommand exports an X.509 digital certificate from the
CA ACF2
database and puts it into a z/OS data set. The data set can be used to insert the certificate in another system or can be downloaded to a personal computer and installed in a web browser.
EXPORT{
logonid|logonid.suffix
} DSname(
data-set-name
) [LABEL(
label
) [FORMAT(CERTDER|CERTB64\PKCS12DER|PKCS12B64|PKCS7DER|PKCS7B64)] [PASSWORD(
password
)
Example: Export a certificate
As a security administrator, you generated a certificate for LPAR B to use for securing FTP on LPAR A. You normally generate certificates on your main system, LPAR A, because it houses the signing chain for your company. To move the certificate from LPAR B to LPAR A, export the certificate from the
CA ACF2
database on LPAR B into a data set on LPAR B:
EXPORT
USERADM.FTPCRT4B
DSNAME('
useradmn.cert.ftpcrt4b.out'
)
LABEL(FTP Cert for SYSB) FORMAT(PKCS12B64) PASSWORD(
secretPassword
)
In this example, USERADM.FTPCRT4B is the certificate that is stored in the
CA ACF2
database. USERADM.CERT.FTPCRT4B.OUT is the data set name where you are exporting the certificate.
  • logonid|logonid.suffix
    Specifies the record key of the certificate to be exported. This value can be a one- to eight-character logonid or a logonid, a dot, and a one- to eight-character suffix. If LABEL is specified in addition to suffix, suffix and the label must refer to the same CERTDATA record.
  • DSname(
    data-set-name
    )
    Specifies the name of the data set into which the certificate is exported. The data set must not already exist. If the data set name is enclosed in single quotes, it is fully qualified and is used as specified. Otherwise, the user's prefix, as specified by the TSO PROFILE PREFIX command is added to the front of the data set name.
  • LABEL
    Specifies the label of the certificate to be exported. Logonid must also be specified to indicate which logonid the label is associated with. For every apostrophe that is desired in the Label value, specify two consecutive apostrophes. For example, the Label value, Frank's Certificate, should be specified as, Frank”s Certificate. If a single apostrophe is specified in the Label value, the value is invalid.
  • FORMAT(CERTDER)
    Indicates that the exported certificate should be encoded using the X.509 Distinguished Encoding Rules (DER). This form is the standard for an X.509 certificate. This file is binary, so if it is being transferred using FTP, use the BINARY or IMAGE mode.
  • FORMAT(CERTB64)
    Indicates that the exported certificate should be encoded using base-64 encoding. This encoding is applied to the standard X.509 certificate. Doing so makes it possible to ship the certificate through systems, such as E-mail systems, that cannot handle binary files. This file is in text format, so if it is being transferred using FTP, use the ASCII or TEXT mode. If no format is specified, format(CERTB64) is the default.
  • FORMAT(PKCS12B64)
    Specifies a DER-encoded PKCS#12 certificate package. DER-encoded is a binary encoding for certificates and private keys. The package contains the user certificate, private key, and all certificate-authority certificates necessary to complete the chain of certificates from user to root certificate-authority certificate. If this option is selected, a PASSWORD must also be supplied. Format PKCS12DER must be used to import a PKCS#12 certificate package on Windows, because Windows cannot directly import a PKCS12B64 format PKCS#12 package.
  • FORMAT(PKCS12B64)
    Specifies a DER-encoded then base-64 encoded PKCS #12 certificate package. The package contains the user certificate, private key, and all certificate-authority certificates necessary to complete the chain of certificates from user to root certificate-authority certificate. If this option is selected, a PASSWORD must also be supplied. If a password has been specified but no format is specified, format (PKCS12B64) is the default.
  • FORMAT(PKCS7DER)
    Specifies a DER-encoded PKCS 7 certificate package. This parameter exports a certificate (without the private key) and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message is issued and an incomplete PKCS 7 package is created.
    CA ACF2
    can still process the incomplete package, but it may not be useful to OEM products.
  • FORMAT(PKCS7B64)
    Specifies a base-64 encoded PKCS 7 certificate package. This parameter exports a certificate (without the private key) and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message is issued and an incomplete PKCS 7 package is created.
    CA ACF2
    can still process the incomplete package, but it may not be useful to OEM products.
  • PASSWORD(
    password)
    Specifies a password that is used to encrypt the private key and certificates in a PKCS #12 package. This password does not conform to normal
    CA ACF2
    password syntax and can have mixed case characters and up to 255 bytes long. If password is specified, a PKCS #12 package is generated with the user certificate, private key, and CA certificates. If format is not specified, format defaults to PKCS12B64.
    CA ACF2
    only supports PKCS #12 certificates that adhere to the PKCS #12 v1.0 standard and are published by RSA. These certificates are defined with a 3 in the version number of the PKCS #12 certificate package. If PASSWORD is specified without a value and you are in an environment where
    CA ACF2
    can prompt you, you are prompted for the password in a non-display field. Because you cannot see the value being entered and the value is being used to encrypt the PKCS 12 package,
    CA ACF2
    prompts twice for the password and compares the two values before using the password for encryption.