When trying to INSERT a digital certificate into ACF2, the following error message is seen:

'ACF00178 INVALID CERTIFICATE DATA - FORMAT' 

Why is this occurring?

Verify LU05610 is applied. If this PTF is applied, the most likely cause of the "ACF00178 INVALID CERTIFICATE DATA - FORMAT" error is the certificate file on z/OS is not in the correct format for a certificate. This is most likely caused by FTPing the certificate to z/OS in the wrong format.  Depending on how the certificate package was created, it could be in binary format or ASCII format. Try re-FTPing the certificate in the other format (ASCII/BINARY) and then re-try the CHKCERT command. 

ACF2 supports the INSERT of certificates in the following format: 

Format(CERTDER)
Indicates that the exported certificate should be encoded using the X.509 Distinguished Encoding Rules (DER). This is the standard form of an X.509 certificate. It is a binary file, so if it is being transferred using FTP, BINARY or IMAGE mode must be used.

Format(CERTB64)
Indicates that the exported certificate should be encoded using base-64 encoding. This encoding is applied to the standard X.509 certificate to make it possible to ship the certificate through systems, such as E-mail systems, that cannot handle binary files. This is a text file, so if it is being transferred using FTP, ASCII or TEXT mode must be used. Format(CERTB64) is the default if no format is specified.

Format(PKCS12DER)
Specifies a DER-encoded PKCS#12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format PKCS12DER must be used if you need to import a PKCS#12 certificate package on Windows, since Windows cannot directly import a PKCS12B64 format PKCS#12 package.

Format(PKCS12B64)
Specifies a DER-encoded then base-64 encoded PKCS #12 certificate package. This will export a certificate(and its Private key) and its CA chain. If this option is selected, a PASSWORD must also be supplied. Format (PKCS12B64) is the default if a password has been specified but no format is specified.

Format(PKCS7DER)
Specifies a DER encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.

Format(PKCS7B64)
Specifies a base-64 encoded PKCS 7 certificate package. This will export a certificate and its CA chain. If a certificate in the chain cannot be found under the CERTAUTH ID or the certificate is expired, an informational message will be issued and an incomplete PKCS 7 package will be created. CA ACF2 will still be able to process the incomplete package but it may not be useful to OEM products.

To correct the error:

1. Verify CERTDER, PKCS7DER, PKCS12DER format certificates are FTP'd to z/OS in BINary format RECFM VB.
2. Verify CERTB64, PKCS7B64, PKCS12B64 format certificates are FTP'd to z/OS in ASCII format RECFM VB.
   
   Note: to determine the difference between a DER binary and B64 ASCII certificate browse the certificate on a PC with Windows NOTEPAD or browse in z/OS with ISPF BROWSE, if the certificate is in B64 ASCII you will see the strings “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----”  and the beginning and ending lines of the certificate.
   
   
3. Check for truncation of the base-64 encoded certificate by browsing the certificate from ISPF, if there is only a single line between the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” the certificate was truncated when FTP’d to z/OS. 

           To avoid FTP truncation, use the following FTP commands:

            ASCII
            QUOTE SITE WRAP LRECL=84 BLKSIZE=27998 RECFM=VB
            PUT cert_file_name ‘z/OS dataset name’ (REPLACE
            quit