With my first, (and second) reading of the RACF documentation it looked like z/OS could not act as my corporate Certificate Authority. I was written up a blog post saying how to do it using Linux as my CA, when I found a couple of hints to show that z/OS could be used as a certificate authority.
The short answer on how to do it.
Create a end user certificate on z/OS
//IBMRACF JOB 1,MSGCLASS=H //S1 EXEC PGM=IKJEFT01,REGION=0M //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ID(START1) GENCERT - SUBJECTSDN(CN('MYCERT') - O('SS') - OU('SS')) - ALTNAME(IP(10.1.1.2) - DOMAIN('WWW.ME.COM') )- SIZE(4096) - SIGNWITH (CERTAUTH LABEL('MY-CA1')) - RSA - WITHLABEL('MYCERT')
This creates a certificate START1.MYCERT signed by CERTAUTH.MY-CA1
How to process a certificate created on Linux
I created a certificate on Linux in a script (so I could use a variable as part of the file name).
passwords=“-passin file:password.file -passout file:password.file”
# generate a private key in rsa format
openssl genrsa -out $name.key.pem 2048
# make a certificate request to send off to get it signed
openssl req -config mqwebserver.config -new -key $name.key.pem -out $name.csr -outform PEM -subj “/C=GB/O=cpwebuser/CN=mqwebec” $passwords
This creates a Certificate Server Request file ec2.csr, and a private key in ec2.key.pem.
I FTP’d the .csr file to z/OS. This is a text file, where the first line is —–BEGIN CERTIFICATE REQUEST—– so you need to FTP in text format.
With RACF you can generate a certificate by passing the information in a data set, or by specifying it on the RACDCERT GENCERT command.
I used the following job to sign the certificate using Certificate Authority DAN-CA1, passing the information in from the .CSR data set I had previously uploaded.
//S1 EXEC PGM=IKJEFT01,REGION=0M //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ID(START1) GENCERT('IBMUSER.IBMUSER.EC2.CSR') - SIGNWITH (CERTAUTH LABEL('MY-CA1')) - WITHLABEL('MYCERT3') RACDCERT LIST(LABEL('MYCERT3')) ID(START1) RACDCERT ID(START1) EXPORT(LABEL('MYCERT3'))- DSN('IBMUSER.CERT.MYCERT3.PEM') - FORMAT(CERTB64) SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
This reads the data set specified in the GENCERT() command, and takes all of the certificate parameters from it. It is signed by the CERTAUTH with label(‘MY-CA1’) and stored in the RACF database under id(START1) with label(MYCERT3).
THE EXPORT command exports the signed certificate to a dataset.
I then FTP’d the exported data set IBMUSER.CERT.MYCERT3.PEM back to Linux.
I merged the two parts back together to create a .p12 combined file with
openssl pkcs12 -export -inkey ec2.key.pem -in dancert3.pem -out mycert3.p12 -name mycert3 -passout file:password.file -passin file:password.file
and displayed the .p12 file with
pk12util -l mycert3.p12
This gave me
Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=MYCA1,OU=SSS,O=SSS" Validity: Not Before: Sun Jan 17 00:00:00 2021 Not After : Mon Jan 17 23:59:59 2022 Subject: "CN=mqwebec,O=cpwebuser,C=GB" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus:... Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Comment Comment: "Generated by the Security Server for z/OS (RACF)" Name: Certificate Subject Alt Name DNS name: "localhost" IP Address: 127.0.0.1 Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Name: Certificate Subject Key ID Data:... Name: Certificate Authority Key Identifier Key ID:... Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature:... Fingerprint (SHA-256):... Fingerprint (SHA1):...Friendly Name: dancert3 Key(shrouded): Friendly Name: mycert3 Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Note: I tried exporting the file on z/OS using FORMAT(PKCS7B64) instead of FORMAT(CERTB64).
The openssl pkcs12 -export command failed with
unable to load certificates
error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=X509_CINF
error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:../crypto/pem/pem_info.c:196:
If you get these messages download it in the proper format.
The longer answer…
When setting up certificates you have several options
- Use a Self Signed certificate. This offers very little security, as anyone can create a certificate one. This should only be used for testing, though I think you should never use them, as you need to test with signed certificates because of the additional work that needs to be done. Imagine conversation with your manager “Did you test this?” “No, I tested something else”.
- Get a certificate from recognised authority. You pay for each certificate you get. As the authority’s certificate is generally available you can use your certificate as soon as you get it.
- Set up your own authority you create your own high level certificate such as CN=TOPLEVELCA O=MYORG, which in turn creates other certificates such as CN=TESTCA, O=MYORG, and CN=PRODUCTIONCA O=MYORG. You can create as many certificate as you wish for example using the TESTCA for certificates that can be used in test.
- A combination of both, you get a High level Certificate Authority certificate signed by a recognised authority, and then used that to set up your own certificates.
What does a “certificate” contain?
There are two parts
- The certificate identified the “who”, along with the public key.
- The private key used in encryption.
What does “signing” mean?
You take a block of data, and do a calculation on it, for example a checksum. The signer takes the checksum and encrypts it using its private key. The original block of data then has the encrypted checksum, and the signers public key appended to it.
To check the signature,
- You compare the signers public key with your copy of it and check it matches. If they match you decrypt the encrypted checksum.
- You perform the same calculation on the original payload and check your calculation with the decrypted version. If they match you know the data is good.
Signing a certificate is doing this with a certificate as the block of data.
If you have a corporate CA certificate, and a departmental CA certificate, the departmental certificate has been signed by the corporate CA. When you sign a block of data, it will have the departmental certificate, and the corporate certificate appended.
How does a Certificate Authority work?
At the top of the Certificate Authority hierarchy is a generally available self signed certificate with its public key.
- I create a personal certificate with “who” and the public key, and the private key.
- I send the personal certificate with “who” and the public key, known as a Certificate Signing Request(CSR) to my security department, who sign it and return it.
- I merge the signed “who” and the public key, with the private key, and store it in my key store.