CHKCERT CHAIN command returns "Chain is incomplete" message when using ACF2
search cancel

CHKCERT CHAIN command returns "Chain is incomplete" message when using ACF2


Article ID: 16139


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC


Why is there a "Chain is Incomplete" message when issuing a CHKCERT CHAIN command under ACF2?
This message was not seen for the same certificate chain on ACF2 R15.

At the end of the CHKCERT output is the following summary

Chain Information:     Chain contains 2 certificates     Chain is INCOMPLETE     Chain contains common ring - XXXXX.RING




Release: ACF2 R16


ACF2 R16 PTF RO95082 increased the validation of certificate chaining.

Part of the process is to check that each CERTAUTH being used to sign certificates in the chain has validity dates that would encompass the validity of the signed certificate.


There are 3 certificates in a chain of CERTAUTH certificates that sign a user certificate.

The root CERTAUTH certificate has validity dates of:

Not valid before:    2006/11/27  20:23:42 UTC
Not valid after:       2026/11/27  20:53:42 UTC

It signs an intermediate certificate with validity dates of:

Not valid before:      2014/09/22  17:14:57 UTC  
Not valid after:         2024/09/23  01:31:53 UTC               

This intermediate certificate signs another CERTAUTH  with validity dates of

Not valid before:     2014/10/22  17:05:14 UTC
Not valid after:        2025/10/23  07:33:22 UTC         

As can be seen, the validity of the second certificate does not cover the full
validity period of the third certificate.

CERT2 expires on  September 23 2024
CERT3 expires on October 23 2025

Therefore the CHKCERT CHAIN command will only show CERT 3 as being a part of the chain.
The other two certificates will not be included in the chain.

Note: This will not stop the full validation of the certificates during an SSL check – as long as all certificates have the TRUST status and are not expired. A CHKCERT CHAIN performed on a PKCS#12 package does not go through this validation, so the chain will be complete when performing a CHKCERT CHAIN against a DSN.