GENCERT Subcommand

The GENCERT subcommand is used to generate a digital certificate and insert a CERTDATA profile record.
acf2src
The GENCERT subcommand is used to generate a digital certificate and insert a CERTDATA profile record into the CA ACF2 Infostorage database. The CERTDATA segment of the user profile record identifies an X.509 digital certificate that is associated with a user. For a description of the GENCERT subcommand fields, see Process Digital Certificates with CA ACF2.
GENCert { logonid | logonid.suffix | CERTAUTH | CERTAUTH.suffix | SITECERT | SITECERT.suffix } [Label(label)] [DSname(data-set-name)] [SUbjsdn([CN=common-name] [T=title] [OU=organizational-unit-name] [O=organization-name] [L=locality] [{S=state-or-province | SP=state-or-province | ST=state-or-province}] [C=country])] [SIZe({key-size|2048|192})] [PCICC|ICSF|DSA|NISTECC|BPECC] [ACtive({date-or-date-time|current-date-000000| current-date-time})] [Expire({date-or-date-time|current-date-000000| current-date-time})] [SIGnwith({ CERTAUTH Label(label-name) | CERTAUTH.suffix | SITECERT Label(label-name) | SITECERT.suffix) | Label(label-name)})] [HASHALG(SHA1|SHA256)] [Keyusage([HANDSHAKE][DATAENCRYPT] [DOCSIGN][CERTSIGN][KEYAGREE])] [ALtname([IP=numeric-ip-address] [DOMAIN=internet-domain-name] [EMAIL=email-address] [URI=universal-resource-identifier])] [Fromicsf(PKDS label)] [PKDSLBL({PKDS label|*})] [SIGATTR(RSAPSS)]
Examples: Generate digital certificates and insert CERTDATA profile records
Generate a self-signed certificate authority (CA) certificate from a PKCS #10 request. PKCS #10 defines a format of messages that are sent to a CA to request certification of a public key. Specify a label and expiration date. The default date is one year from the day the record is created. If the expiration date of the CERTAUTH certificate is not more than a year away, subsequent certificates that are signed with the certificate can receive warning messages.
GENCERT
CERTAUTH.BLUELOCK
Subj(CN='
Blue Lock Company Certificate Authority
' OU='
Auditing Department
' O='
Blue Lock Company
' C=
US
) LABEL(
AUDIT CA
) EXPIRE(
03/23/2021
)
In this example, a self-signed CA certificate, certauth,bluelock, was generated. The label Audit CA was specified for the record and an expiration date of 03/23/2021 was assigned. The subject's distinguished name and the issuer's distinguished name are generated using the inputted SUBJSDN value. Because the certificate is self-signed, the TRUST flag is automatically set and the serial number is 00.
The resulting CERTDATA record displays:
CERTDATA / CERTAUTH.BLUELOCK LAST CHANGED BY FRANK01 ON 02/02/02-10:34 ISSUERDN(CN=Blue Lock Company Certificate Authority.OU=Auditing Department O=Blue Lock Company.C=US) CERTNSER(0000000000000001) KEYSIZE(1,024) LABEL(Audit CA) SERIAL#(00) SUBJDN(CN=Blue Lock Company Certificate Authority.OU=Auditing Department.O=Blue Lock Company.C=US) TRUST Certificate is not connected to any key rings
Generate a SITECERT certificate for the company's web server.
GENCERT
SITECERT.BLCWEB
SUBJ(CN='
Blue Lock Web Server Certificate
' OU='
Auditing Department
'O='
Blue Lock Company
' C=
US
) LABEL(
BL Web Server
) SIGNWITH(
certauth
) LABEL(
Audit CA
) EXPIRE(03/23/2021)
In this example, a certificate was generated which is signed by the CERTAUTH certificate created. The serial number and issuer's distinguished name were taken from the signing certificate. The resulting CERTDATA record would look as follows:
CERTDATA / SITECERT.BLCWEB LAST CHANGED BY FRANK01 ON 02/02/02-11:08 ISSUERDN(CN=Blue Lock Company Certificate Authority.OU=Auditing Department.O=Blue Lock Company.C=US) KEYSIZE(1,024)LABEL(BL Web Server) SERIAL#(01) SUBJDN(CN=Blue Lock Web Server Certificate.OU=Auditing Department.O=Blue Lock Company.C=US)TRUST Certificate is not connected to any key rings
Generate a user certificate, signed with a certificate authority certificate.
gencert frank01.cert Subj(cn='Frank Schwinger' OU='Sales Department' O='Blue Lock Company' C=US) label(Frank01 Cert) signwith(certauth Label(Audit CA)) expire(12/31/2003)
This user certificate is also signed with the Audit CA CERTAUTH certificate. This certificate was given a less generous expiration date. We can renew Frank's certificate if he is still with the company next year. The certificate is trusted because the signing certificate is trusted.
CERTDATA / FRANK01.CERT LAST CHANGED BY CUNKE01 ON 02/02/02-11:23 ISSUERDN(CN=Blue Lock Company Certificate Authority.OU=Auditing Department.O=Blue Lock Company.C=US) KEYSIZE(1,024) LABEL(Frank01 Cert) SERIAL#(02) SUBJDN(CN=Frank Schwinger.OU=Sales Department. O=Blue Lock Company.C=US) TRUST Certificate is not connected to any key rings
GENCERT Command Authorization Requirements
The following lists the requirements to generate a certificate and insert a user CERTDATA profile record into the Infostorage database. Resource checks are not completed if the SECURITY privilege is applied.
SIGNWITH Certificate
Your Own Certificate
Another User's Certificate
CERTAUTH or SITECERT Certificate
No specified
READ authority to ACFCMD.DIGTCERT.ADD and READ authority to ACFCMD.DIGTCERT.GENCERT
UPDATE authority to ACFCMD.DIGTCERT.ADD and UPDATE authority to ACFCMD.DIGTCERT.GENCERT
DELETE authority to ACFCMD.DIGTCERT.ADD and DELETE authority to ACFCMD.DIGTCERT.GENCERT
CERTAUTH or SITECERT
Certificate
READ authority to ACFCMD.DIGTCERT.ADD and DELETE authority to ACFCMD.DIGTCERT.GENCERT
UPDATE authority to ACFCMD.DIGTCERT.ADD and DELETE authority to ACFCMD.DIGTCERT.GENCERT
DELETE authority to ACFCMD.DIGTCERT.ADD and DELETE authority to ACFCMD.DIGTCERT.GENCERT
Callers own certificate
READ authority to ACFCMD.DIGTCERT.ADD and READ authority to ACFCMD.DIGTCERT.GENCERT
UPDATE authority to ACFCMD.DIGTCERT.ADD and READ authority to ACFCMD.DIGTCERT.GENCERT
DELETE authority to ACFCMD.DIGTCERT.ADD and READ authority to ACFCMD.DIGTCERT.GENCERT
Granular GENCERT Command Authorization Requirements
The following requirements generate a certificate and insert a user CERTDATA Profile Record into the Infostorage database when the CERTCNTL option is set in the GSO OPTS record. Resource checks are not completed if the SECURITY privilege is applied.
The granular rules require READ access to resources based on the certificate owner and the label of the certificate. These rules are from the RDATALIB class.
IRR.DIGTCERT.certowner.cerlabel.UPD.GENCERT
Creates a certificate under a user with a specific label. All certificates have labels and can be in "record id" format USER.suffix).
IRR.DIGTCERT.certowner.certlabel.UPD.GENCERT
and
IRR.DIGTCERT.signer.signerlabel.UPD.GENCERT
Creates a certificate under a user with a specific label that is assigned by a specific certificate. All certificates have labels and can be in the "record id" format (USER.suffix).