search cancel

CHKCERT CHAIN command returns "Chain is incomplete" message when using ACF2 r16


Article ID: 16139


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit


Why do we see message "Chain is Incomplete" when we issue a CHKCERT CHAIN command under ACF2 R16?
We did not see this message on ACF2 r15.

At the end of the CHKCERT output is the following summary

Chain Information:     Chain contains 2 certificates     Chain is INCOMPLETE     Chain contains common ring - XXXXX.RING




Release: ACF2..001AO-16-ACF2


ACF2 R16 apar RO95082 increased the validation of certificate chaining.

Part of the process was to check that each certauth being used to sign certificates in the chain

had validity dates that would encompass the validity of the signed certificate.

for example:

There are 3 certificates in a chain of certauth certificates that sign a user certificate.

The root certauth certificate has validity dates of:

Not valid before:    2006/11/27  20:23:42 UTC
Not valid after:       2026/11/27  20:53:42 UTC

It signs an intermediate certificate with validity dates of:

Not valid before:      2014/09/22  17:14:57 UTC  
Not valid after:         2024/09/23  01:31:53 UTC               

This intermediate certificate signs another certauth  with validity dates of

Not valid before:     2014/10/22  17:05:14 UTC
Not valid after:        2024/10/23  07:33:22 UTC         

As can be seen, the validity of the second certificate does not cover the full
validity period of the third certificate.

CERT2 expires on  September 23 2024
CERT3 expires on October 23 2024

Therefore the  CHKCERT CHAIN command will only show CERT 3 as being a part of the chain.
The other two certificates will not be included in the chain.


Note: This will not stop the full validation of the certificates during an SSL check – as long as all three


Certificates have the TRUST status.