Skippy, a number of misapprehensions in there. A certificate never "consists of a public and private key." A certificate contains a public key, and somewhere there is a corresponding private key. A PKCS12 package may contain both the certificate and the private key, but a certificate itself never contains a private key.
No, the "public key" per se is not installed anywhere. If the FTP server will be presenting a server certificate, then the root certificate of the CA that signed that certificate must be installed and trusted on the client machine. (If the server certificate is self-signed, then it is its own CA, and it must be pre-installed and trusted on the client.) "When looking at a directory of certs, how can I find the public one?" is not a question that has an answer. "Public cert" is not a generally recognized concept. There are many, many ways that one might create a certificate, but the most common sort of approach would be (1) using gskkyman or RACF to create a certificate signing request, and then having (a.) a public CA who will charge you money; or (b.) PKI services run by your shop to sign it and issue a certificate; or (2) using RACF or gskkyman to create a self-signed certificate. Self-signed certificates are a whole topic of their own, but briefly, the plus is that they are free and easy; the minus is that they enjoy a certain amount of ill repute and will not be suitable in many scenarios. If you are going to be your own certificate expert then I think you need to start with some general education on how the certificate process works, and then proceed from there to specific, detailed questions on this list. There are a number of SHARE presentations that would be a starting point, or the RACF Sec Admin Guide, or perhaps one of the Redbooks. Otherwise you will need to retain the services of such an expert. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Skippy the Ancient Sent: Thursday, November 5, 2020 6:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: gskkyman & public key I am asking in regards to FTPS. I know gskkyman can create/import/export certs. The cert consists of a public and private key. I'm asking because it's my understanding that the public key should be loaded up and installed on a client computer. Is that correct? When looking at a directory full of certs, how can I find the public one? Or how do I create it? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
