[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Certificate revocation status checking
From:       Wai Choi <wchoi () US ! IBM ! COM>
Date:       2020-02-17 20:42:36
Message-ID: OFB5A5354E.92CC3809-ON00258511.00701478-85258511.0071C3C8 () notes ! na ! collabserv ! com
[Download RAW message or body]

Matt,

RACDCERT GENREQ does support multiple SANs if you base on a certificate 
with multiple SANs . Then CSR created will include them.. 

You have to enter the SANs manually in the RACDCERT GENCERT command even 
if the support is there. 

It takes some time to set up PKI Services. But once it is set, you can 
request a variety of certificates.

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development



From:   "mtchapp@gmail.com" <mtchapp@GMAIL.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   02/17/2020 02:09 AM
Subject:        [EXTERNAL] Re: Certificate revocation status checking
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Hello Wai,

sorry for the late reply.  From my point of view, the main reason for 
supporting multiple dnsname SANs in RACDCERT  GENCERT is so that the CSR 
can be generated from RACF with the SANs pre-populated, rather than 
entering that information manually when requesting the certificate from 
the CA (which not all CAs allow or are configured to accept).  Then the 
CA the request is submitted to, whether it be PKI Services or some other 
CA, can validate the SANs as part of the approval process and copy them 
into the final CA-signed certificate.

In our environment, we need multiple SANs in our CSR, but work around it 
by using IBM System SSL in C to construct the CSR with a modified set of 
extensions based on the RACF generated certificate and a list of 
additional SANs.  Works for us, but I would far rather have the support 
in GENCERT or GENREQ.

Regards,

Matthew Chappell.

On 1/02/2020 7:43 am, Wai Choi wrote:
> Hi all,
>
> I have posted these questions last month. I have received some responses
> sent directly to me. I would like to thank those who have replied.
>
>  From the responses I collected so far:
> 1) revocation checking is needed for applications running on the non z
> platforms;
> 2) commercial CA is needed only for external facing servers
>
> We have received requirement to enhance the RACDCERT generated
> certificates to include multiple domain names in the Subject Alternate
> Name extension. If the certificate is to be validated by the 
applications
> running on the non z platforms and revocation status is needed to be
> checked, then the RACDCERT generated certificate can not be used even we
> spend the effort to add multiple domain names support.
>
> On the other hand, z/OS PKI Services already supported the generation of
> certificates with multiple domain names AND it is able to generate
> certificates with revocation information, either through Certificate
> Revocation List (CRL) or Online Certificate Status Protocol (OCSP).
>
> I understand issuing a RACDCERT GENCERTcommand is much simplier than
> setting up a full functioning CA. What simplications will make you
> consider to use z/OS PKI Services for your internal use?
>
> BTW, I made a typo in my previous replies. It should be corporate 
policy.
>
> Regards,
> Wai
>
> Wai Choi - RACF/PKI Design and Development
>
>
>
>
> From:   Wai Choi <wchoi@US.IBM.COM>
> To:     RACF-L@LISTSERV.UGA.EDU
> Date:   12/10/2019 02:38 PM
> Subject:        [EXTERNAL] Certificate revocation status checking
> Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
>
>
>
> Hi all,
>
> I believe most of the applications you use today are using digital
> certificates. Would you share the answers for the following questions:
>
> 1) Do your applications need to check the revocation status of the
> certificate? What is the percentage on those that require the checking 
vs
> those that don't?
>
> 2) Does your company policy require ALL certificates to be issued by a
> commercial CA? If not, how do you get them?
>
> Thanks in advance for providing me the information.
>
> Regards,
> Wai
>
> Wai Choi - RACF/PKI Design and Development
[prev in list] [next in list] [prev in thread] [next in thread]