TCP/IP for z/VM
Secure Socket Layer (SSL) Server - Certificate Management Information

z/VM Server Certificate Label Requirements

The labels for server certificates that are to be used by the SSL server (whether provided by request from a Certificate Authority (CA) or self-signed) must be no more than eight (8) characters, and must be comprised of only upper case, alphanumeric characters.

While these requirements are not enforced by the gskkyman utility program, they still must be applied during the course of z/VM SSL certificate management activities.

z/VM Root Certificate Labels

When CA root certificates that are imported to z/VM key database, the labels for these certificates can be specified with mixed case text, and can include multiple (blank-delimited) words. To specify such a label, the label name must be enclosed in double quotes when the certificate is imported. For example: 

  ...
  Enter import file name (press ENTER to return to menu):
  digicrootca.crt
  Enter label (press ENTER to return to menu):
  "DigiCert Global Root CA"
  Certificate imported.
  Press ENTER to continue.
  ...
If such labels are desired, be certain a CP TERMINAL ESCAPE character is not in effect when gskkyman is used. This can be accomplished by issuing the command CP TERMINAL ESCAPE OFF before gskkyman is invoked.

Certificate File Handling and BFS Import/Export Commands

When certificates are exported from the key database to a BFS file using a binary file format, via either of these gskkyman export options: 

  1 - Binary PKCS #12 Version 1
  3 - Binary PKCS #12 Version 3

the resulting file, when propagated to a minidisk, should be processed with the OPENVM GETBFS command with the (BFSLINE NONE option to maintain the binary nature of the file.

Conversely, when certificates are exported from the key database to a BFS file using a Base64 file format, via either of these gskkyman export options: 

  2 - Base64 PKCS #12 Version 1
  4 - Base64 PKCS #12 Version 3

the resulting file, when propagated to a minidisk, should be processed with the OPENVM GETBFS command with the (BFSLINE NL option to ensure the appropriate record structure is maintained.

Note that attempts to import an incorrectly exported certificate into another certificate database likely will fail, and might be reported as one of the following types of error conditions:

  • The certificate password is not valid
  • The certificate content is not valid
  • The certificate length is not valid