TRUST Keyword—Associate a Certificate to a User

Keywords › TRUST Keyword—Associate a Certificate to a User

TRUST Keyword—Associate a Certificate to a User

Valid on z/OS.

Use the TRUST keyword to associate a digital certificate with a user.

Note: HITRUST is only valid for the ACID named CERTAUTH.

This keyword has the following format:

TSS ADDTO(acid) DIGICERT(name)
                TRUST|NOTRUST|HITRUST

TRUST

Specifies that the certificate is valid for the user, site, or CA and the private key is not compromised.

On a:

USER certificate—TRUST indicates that the certificate can be used to authenticate an ACID.
CERTSITE certificate—TRUST indicates that the certificate can be used without authenticating it.
CERTAUTH certificate—TRUST indicates that the certificate can be used to authenticate other certificates.

NOTRUST

Indicates that the certificate is not trusted.

HITRUST

Specifies that the certificate is both highly trusted and trusted. Certificate usage applying to trusted certificates also applies to highly trusted certificates. Only CA certificates (CERTAUTH) can be highly trusted.

The trust status is set to the CA's trust status if the:

Certificate’s signature can be verified.
Certificate has not expired.
Certificate’s validity dates fall within the range of the signing certificate.

The default trust status for self-signed certificates is TRUST.

The trust status is set to NOTRUST if the certificate being added or generated:

Has expired
Has an invalid date range
Cannot be verified

The trust status of the new certificate is set to TRUST if the trust status comes from a signing certificate with HITRUST.

If TRUST is not specified and the certificate is signed by another certificate:

If all of the following conditions are met, the status is set to TRUST:
- The signing certificate can be located in the database.
- The signing certificate is a Certification Authority (CERTAUTH).
- The signing certificate has not expired.
- If the signing certificate's signature is valid.
- The validity dates of the certificate being added fall within the range of the signing certificate's validity dates.
If any of the above conditions are not met, the certificate is inserted as NOTRUST and a message is issued stating why.

This keyword is used with:

The commands ADDTO and REPLACE
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) authority

Example: TRUST keyword

This example associates a digital certificate with the name CERT0001 to USER1:

TSS ADDTO(USER1) DIGICERT(CERT0001)
                 DCDSN(cert.dataset.p12
                 TRUST

This example removes the digital certificate association:

TSS REPLACE(USER1) DIGICERT(CERT0001)
                   NOTRUST