Previous Topic: List Digital Certificate InformationNext Topic: Change a User's Certificate

Digital CertificatesGeneral RulesGenerate a Certificate Request

Generate a Certificate Request

You can send a request to a certificate authority to verify the validity of a digital certificate. If CA Top Secret generated the certificate, the request is imported to CA Top Secret just as if the certificate authority was another company.

The request contains the subject's distinguished name and public key and is signed with the private key associated with the specified certificate. A PKCS#10 base64-encoded request is generated and written to data set. The GENREQ DCDSN must not be defined-the output DCDSN cannot be allocated or cataloged, this happens when you use the GENREQ command. The data set can be used as the DCDSN in a TSS GENCERT command.

The GENREQ command generates comments at the beginning of the certificate. Delete the comments if the application accepting the certificate does not support comments.

The syntax for the GENREQ command requires the DCDSN and that you identify the certificate using DIGICERT or LABLCERT (or both).

To generate a certificate request, enter the command:

TSS GENREQ(acid|CERTAUTH|CERTSITE) DCDSN(output data set name)
                [DIGICERT(name)]|[LABLCERT('label name')]
ACID

A user ACID .

CERTAUTH

Is an ACID in which your installation can maintain certificates that were generated by a third party certificate authority (CA). This ACID is pre‑defined. You cannot add a KEYRING to this ACID.

CERTSITE

Is an ACID in which your installation can maintain site‑generated certificates. This ACID is pre‑defined. You cannot add a KEYRING to this ACID.

DCDSN(output‑data‑set‑name)

The data set will be allocated and cataloged, and will contain the output data set from the genreq'ed digital certificate. The data set name will conform to MVS standards.
Range: Up to 44 characters

DIGICERT

Specifies a case sensitive ID that identifies the certificate with the user ACID.
Range: 1 to 8 characters

LABLCERT

Specifies an optional and case‑sensitive label to be associated with the certificate being added to the user. Spaces are allowed if you use single quotes. This label is used as a handle instead of the serial number and issuer's distinguished name, and must be unique for the individual user. If a label is not specified, the label field defaults to the value specified within the DIGICERT keyword.
Range: Up to 32 characters.

Example 1: GENREQ command

This example generates a certificate request:

TSS GENREQ(user1) DIGICERT(cert0001)
                  DCDSN(USER3.CERT.DATA)
                  LABLCERT('REQUEST 3')