Why does an ACF2 CHKCERT fail with message "ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate"?

First, check if ACF2 PTF SO05363 is applied. If the PTF is applied verify the following.

The ACF68076 error is an indication that the certificate file on z/OS is not in the correct format for a certificate. This is most likely caused by FTPing the certificate to z/OS in the wrong format.  Depending on how the certificate package was created, it could be in binary format or ASCII format. Try re-FTPing the certificate in the other format ASCII/BINARY and then re-try the CHKCERT command. 

ACF2 supports the INSERT of certificates in the following format: 

• certificate encoded using the X.509 Distinguished Encoding Rules (DER).
• certificate encoded using the standard X.509 base-64 encoding
• certificate DER-encoded PKCS#12 certificate package
• certificate DER-encoded then base-64 encoded PKCS #12 certificate package
• certificate DER encoded PKCS 7 certificate package
• certificate base-64 encoded PKCS 7 certificate package

To correct the error:

1. Verify CERTDER, PKCS7DER, PKCS12DER format certificates are FTP'd to z/OS in BINary format RECFM VB.
2. Verify CERTB64, PKCS7B64, PKCS12B64 format certificates are FTP'd to z/OS in ASCII format RECFM VB. Check for truncation of the base-64 encoded certificate by browsing the certificate from ISPF, if there is only a single line between the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” the certificate was truncated when FTP’d to z/OS. 

           To avoid FTP truncation, use the following FTP commands:

            ASCII
            QUOTE SITE WRAP LRECL=84 BLKSIZE=27998 RECFM=VB
            PUT cert_file_name ‘z/OS dataset name’ (REPLACE
            quit

If the above does not resolve the error, issue a CHKCERT DUMP command against the dataset containing the certificate and create a case with Broadcom Support.