Can you have the same label on different digital certificates?
search cancel

Can you have the same label on different digital certificates?

book

Article ID: 11779

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



Can you have the same label on different digital certificates?

Environment

Release:
Component: ACF2MS

Resolution

Two certificates can have the same label and be connected to the same keyring however the two certificates can not be owned by the same userid. The certificate label must be unique within the set of certificates for a user. Certificates are stored as CERTDATA records in the format of userid.suffix. In the test below the two certificates with the same LABEL(LDAPR151) are owned by LDAPR151 and LDAPR152(LDAPR151.CERT and LDAPR152.CERT2.

If a GENCERT of a certificate has the same userid and LABEL the ACF0A041error message will be issued:

 ACF0A041 The certificate label is a duplicate of existing certificate record:  LDAPR152.CERT2     

The message indicates that the certificate label specified is a duplicate of the label found in an existing certificate (CERTDATA) record for this logonid.    

Example Certificates With Same Label Connected to the Same Keyring

Existing certificate with LABEL(LDAPR151):

LDAPR151.CERT LAST CHANGED BY USER002 ON 10/26/16-12:29            
          ISSUERDN(CN=MyLocalzOSCA.OU=Auditing Department.O=Company
          Name.C=US) KEYSIZE(2,048) LABEL(LDAPR151) SERIAL#(01)  
          SUBJDN(CN=DE28LDAPserver.OU=MyCo.C=US) TRUST             

GENCERT(create) a certificate with the same LABEL(LDAPR151):

GENCERT LDAPR152.CERT2 SUBJ(CN=‘XOOperations’ OU=‘XOCo’ C=US)                  
          LABEL(LDAPR151) SIGNWITH(certauth Label(LocalACF CA)) EXPIRE(10/25/2017)    

  CERTDATA / LDAPR152.CERT2 LAST CHANGED BY USER002 ON 11/01/16-07:18          
                       ISSUERDN(CN=MyLocalzOSCA.OU=Auditing Department.O=Company
                       Name.C=US) KEYSIZE(2,048) LABEL(LDAPR151) SERIAL#(06)  
                       SUBJDN(CN=XOOperations.OU=XOCo.C=US) TRUST               

Both certificates can be connected to the same KEYRING:

KEYRING / LDAPR151.RING LAST CHANGED BY USER002 ON 11/01/16-07:20  
                DEFAULT(LDAPR151.CERT) RINGNAME(LDAPR151Ring)  

The following certificates are connected to this key ring:          

CERTDATA record    Label                             Usage          
-----------------  --------------------------------  --------       
CERTAUTH.LOCALCA   LocalACF CA                       CERTAUTH       
LDAPR151.CERT      LDAPR151                          PERSONAL       
LDAPR152.CERT2     LDAPR151                          PERSONAL     

Powered by Wolken Software