I am trying to do a GENCERT of a Personal certificate with the SIGNWITH parameter and I am getting error message 'ACF68028 ERROR RETRIEVING SIGNWITH CERTIFICATE', what causes this?

If the signing certificate is not a CERTAUTH or SITECERT certificate, or if the GENCERT is not being done by the signing certificate's owner the Error 'ACF68028 ERROR RETRIEVING SIGNWITH CERTIFICATE' message will be issued.

The SIGNWITH parameter requires a value in the format CERTAUTH.RECORDID, CERTAUTH LABEL(value), SITECERT.RECORDID, SITECERT LABEL(value) or (Label(label-name)). If CERTAUTH or SITECERT are not specified, Label must be specified and the label will identify the user certificate that will sign the new certificate. The user id associated with the label is the user generating the certificate.

For example:

Logon to TSO using loginid USER002, issue the GENCERT:

GENCERT USER002.CERT1 SUBJ(CN='cnName'                                
    OU='deptName' O='Company Name' C=xx)  
   LABEL(ABCCA CA) KEYSIZE(2,048)

CERTDATA / USER002.CERT1 LAST CHANGED BY USER002 ON 04/12/17-12:53            
                      CERTNSER(0000000000000001) ISSUERDN(CN=cnName.OU
                      =deptName.O=Company Name.C=xx) KEYSIZE(2,048)
                      LABEL(ABCCA CA) SERIAL#(00) SUBJDN(CN=cnName.OU=
                      deptName.O=Company Name.C=xx) TRUST           

  Certificate is not connected to any key rings                                 

 PROFILE                                                                        

GENCERT test.CERT SUBJ(CN=‘testcnName’ OU=‘MyCo’ C=xx)                      
   LABEL(testServer) SIGNWITH(LABEL(ABCCA CA))   

CERTDATA / TEST.CERT LAST CHANGED BY USER002 ON 04/12/17-12:53              
                      ISSUERDN(CN=cnName.OU=deptName.O=Comp
                      any Name.C=xx) KEYSIZE(2,048) LABEL(testServer)        
                       SERIAL#(01) SUBJDN(CN=testcnName.OU=MyCo.C=xx) TRUST   

  Certificate is not connected to any key rings