Having used z/OS to be my corporate Certificate Authority I thought I would use Linux to be a corporate CA, and manage z/OS certificates. For more information on Certificate Authorities, and signing on certificates see here.
Setting up your Corporate CA up on Linux
At the top of the CA certificate hierarchy is a self signed certificate.
Create the CA self signed certificate
openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -days 3000 -nodes -subj “/C=GB/O=SSS/OU=CA/CN=SSCA8” -out cacert.pem -keyout cacert.key.pem -outform PEM –addext basicConstraints=”critical,CA:TRUE, pathlen:0″ -addext keyUsage=”keyCertSign, digitalSignature”
This creates a certificate with
- -x509 says make it self signed – so my enterprise master CA
- using 4096 rsa encryption
- a subject “/C=GB/O=SSS/OU=CA/CN=SSCA8”
- valid for 3000 days
- Not DES encryption ( -nodes) of the output files
- the who and public key are stored in cacert.pem
- the private key is stored in cacert.key.pem
- using format pem
- extra parameters CA:TRUE and keyusage…
Display it
openssl x509 -in cacert.pem -text -noout|less
Create a personal certificate on Linux and sign it.
Create a personal certificate on Linux and get it signed by the CA created above.
I set up a shell script to do the work
name=”adcdd”
subj=’-subj “/C=GB/O=cpwebuser/CN=adcdd” ‘
#Passwords are stored in a file called password.file
passwords=”-passin file:password.file -passout file:password.file”
#clean out the old foils
rm $name.key.pem
rm $name.csr
rm $name.pem
CA=”cacert”
# generate a private certificate using Elliptic curve and type secp256r1
openssl ecparam -name secp256r1 -genkey -noout -out $name.key.pem
#create a certificate signing request (CSR)
openssl req -new -key $name.key.pem -out $name.csr -outform PEM $subj $passwords
#sign it – or send it off to be signed. Get the $name.pem back from the request.
openssl ca -config openssl-ca-user.cnf -md sha384 -out $name.pem -cert cacert.pem -keyfile cacert.key.pem -policy signing_policy -extensions signing_mqweb -md sha256 -infiles $name.csr
#Get the *.pem file back, if required, and merge the files to form the .p12 file
openssl pkcs12 -export -inkey $name.key.pem -in $name.pem -out $name.p12 -CAfile $CA.pem -chain -name $name $passwords
I stored common information in configuration files, such as openssl-ca-user.cnf . This had a section called signing_policy, and signing_mqweb which had
[ signing_mqweb ]
keyUsage = digitalSignature
subjectAltName = DNS:localhost, IP:127.0.0.1
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
Use Linux to be the Certificate Authority for my z/OS RACDCERT certificates.
Create a certificate on z/OS.
//IBMRACF JOB 1,MSGCLASS=H
//S1 EXEC PGM=IKJEFT01,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(START1) DELETE(LABEL('MYCERTL'))
/* create the certificate - note it is not signed
RACDCERT ID(START1) GENCERT -
SUBJECTSDN(CN('MYCERTL') -
O('SSS') -
OU('SSS')) -
ALTNAME(IP(10.1.1.2) -
DOMAIN('WWW.ME2.COM') )-
SIZE(4096) -
RSA -
WITHLABEL('MYCERTL')
/* convert this to a certificate request and output it
RACDCERT GENREQ (LABEL('MYCERTL')) ID(START1) -
DSN('IBMUSER.CERT.MYCERTL.CSR')
/
The first line of the data set is —–BEGIN NEW CERTIFICATE REQUEST—– which is what I expect for a Certificate Signing Request.
FTP this down to the Linux machine as mycertl.csr and use the openssl ca command. This uses the cacert.*.pem files created above
openssl ca -config openssl-ca-user.cnf -md sha384 -out mycertl.pem -notext -cert cacert.pem -keyfile cacert.key.pem -policy signing_policy -extensions signing_mqweb -md sha256 -infiles mycertl.csr
Note: My openssl-ca-user.cnf is given below.
I carefully checked the details displayed, and replied y to both questions.
This produced
Using configuration from openssl-ca-user.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName :PRINTABLE:'SSS'
organizationalUnitName:PRINTABLE:'SSS'
commonName :PRINTABLE:'MYCERTL'
Certificate is to be certified until Oct 14 15:28:45 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
If the option -notext is not specified, the output file contains the readable interpretation of the certificate. Specify -notext to get the output file where the first line is —–BEGIN CERTIFICATE—–
Upload this output file to z/OS (for example “put mycertl.pem ‘IBMUSER.CERT.MYCERTL.PEM’ ” ).
Check the contents before you add it to the RACF keystore
RACDCERT CHECKCERT(‘IBMUSER.CERT.MYCERTL.PEM’)
Add the certificate to the keystore
//IBMRACF JOB 1,MSGCLASS=H
//S1 EXEC PGM=IKJEFT01,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ADD('IBMUSER.CERT.MYCERTL.PEM') -
ID(START1) WITHLABEL('MYCERTL)
/*
The command racdcert list (label(‘MYCERTL’)) id(start1) shows the certificate has NOTRUST, so will not be visible on any keyring. You need
RACDCERT id(START1) ALTER(LABEL(MYCERTL’))TRUST
and will need to connect it to any keyrings.
Upload the CA certificate into the RACF database.
You will also need to upload the public key to the RACF database as a CERTAUTH, and connect it to any ring that uses a certificate signed by the Linux CA.
FTP the certificate file, cacert.pem (created above), to z/OS as text. Once you have FTPed the file, check the first line is “—–BEGIN CERTIFICATE—–“
Add it to RACF
You can add the certificate owned by a userid ( rather than certauth). The certificate needs to be connected to the keyring as usage(CERTAUTH).
//IBMRACF JOB 1,MSGCLASS=H
//S1 EXEC PGM=IKJEFT01,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* delete it if needed
RACDCERT DELETE (LABEL('Linux-CA256')) ID(START1)
RACDCERT id(start1) ADD('IBMUSER.CA256.PEM') -
WITHLABEL('Linux-CA256') TRUST
RACDCERT CONNECT(id(start1) LABEL('Linux-CA256') -
RING(TRUST) USAGE(CERTAUTH)) ID(START1)
RACDCERT CONNECT(id(start1) LABEL('Linux-CA256') -
RING(DANRING) USAGE(CERTAUTH)) ID(START1)
RACDCERT LISTRING(TRUST ) ID(START1)
racdcert list (label('Linux-CA256')) id(start1)
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
My openssl-ca-user.cnf file.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1000 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don’t concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to ‘no’ to allow creation of
# several certificates with same subject.
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
##########
[ signing_mqweb ]
subjectAltName = DNS:localhost, IP:127.0.0.1
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
ColinPaice 