Previous Topic: Determine Certificate AssociationsNext Topic: Export a Certificate with Private and Public Keys

Digital CertificatesGeneral RulesExporting Certificates to Data Sets

Exporting Certificates to Data Sets

You can export a certificate from a CA Top Secret security file to a new data set. The certificate can be identified by its DIGICERT name or by its label.

If the certificate's private key resides in an ICSF storage facility and the format of PKCS12DER or PKCS12B64 is specified in the TSS EXPORT command, the command is rejected. You cannot export a digital certificate with ICSF.

We recommended that you export a certificate to a dataset in order to save it before renewing, both when using the RENEW command and when renewing by manual process.

To export a certificate to a data set, enter the command:

TSS EXPORT(acid|CERTAUTH|CERTSITE)
                 [DIGICERT(name) 
                 [LABLCERT(labelname)]
                 [DCDSN(outputdata set name)]
                 [FORMAT(format type)]
                 [PKCSPASS(PKCS#12 password)]
ACID

A user ACID.

CERTAUTH

Is an ACID in which your installation can maintain certificates that were generated by a third party certificate authority (CA). This ACID is pre‑defined. You cannot add a KEYRING to this ACID.

CERTSITE

Is an ACID in which your installation can maintain site‑generated certificates. This ACID is pre‑defined. You cannot add a KEYRING to this ACID.

DIGICERT

Specifies a case sensitive character ID that identifies the certificate with the user ACID. The DIGICERT must be entered as part of all GENCERT commands since this keyword indicates the name to be used in the digital certificate.

Range: 1 to 8

DCDSN(output‑data‑set‑name)

The data set will be allocated and cataloged, and will contain the output from the exported digital certificate. The data set must conform to the MVS standards.
Range: Up to 44 characters

FORMAT

The following operands can be used with the FORMAT keyword:

CERTB64

(Default) Indicates Base64 encoded certificates.

CERTDER

Indicates DER encoded X.509 certificates..

PKCS7B64

Specifies a B64 encoded PKCS#7 package.

PKCS7DER

Specifies a DER encoded PKCS#7 package.

PKCS12B64

Indicates DER encoded (then Base64 encoded) PKCS#12 package.

PKCS12DER

Indicates DER encoded PKCS#12 package.

You only get a private key if specifying with 'PKCS” format.

LABLCERT

Specifies an optional and case‑sensitive label to be associated with the certificate being added to the user. Spaces are allowed if you use single quotes. This label is used as a handle instead of the serial number and issuer's distinguished name, and must be unique for the individual user. If a label is not specified, the label field will default to the value specified within the DIGICERT keyword.
Range: Up to 32 characters.

PKCSPASS

The PKCS‑password is case sensitive and can contain blanks.
Range: Up to 255 characters

Example: Export a certificate

This example exports a certificate:

TSS EXPORT(USER01) DIGICERT(DIGI0001)
                   DCDSN(USER3.CERT.DATA)
                   FORMAT(CERTDER)