Description File uploaded to dataset.name.ROOTCA.DER.  ACF2 chkcert dsn was able to read the binary certificate.  

CHKCERT COMMAND RESULT:

chkcert dsn('dataset.name.ROOTCA.SER')    
      Data set name:                              
            dataset.name.ROOTCA.DER  
Serial number:          
    01                                          
Issuer's distinguished name:  
    CN=cn  name
    OU=ou name                
    O=o name
    C=country name           
Subject's distinguished name:
    CN=cn name 
    OU=ou name               
    O=o name
    C=country name                   

Key Usage:     
   CERTSIGN    


The following commands were issued to add cert to ACF2:
 ACF  
 t prof(user) div(certdata)  
PROFILE                      
INSERT CERTAUTH.xxxxxxx DSN(dataset.name.ROOTCA.DER') LABEL(label name) TRUST
ACF00178 INVALID CERTIFICATE DATA - BUFFER TOO SMALL    
PROFILE

CA's error codes doc specifies a reason field that is not in the actual message.      

Release : 15.0

Component : CA ACF2 for z/OS

Process to import the PKCS#7 package and then create two new PKCS#7 packages that do not have any undefined length sequences. It uses the Windows certutil command to accomplish this. Here is the process that can be used to (eventually) get certificates inserted on ACF2.

1) Export the PKCS#7 package from z/OS to Windows in binary. If PKCS#7 package is already on Windows you can skip this step.

2) Open a Windows DOS command prompt

3) Issue the certutil command below replacing the Windows file name with the name of your PKCS#7 file:

certutil -addstore -user My C:\Users\Downloads\Certificates\TEST.CRT

Should see all 4 certificate in the PKCS#7 package being added to the certificate store. If Windows can't locate the file, check to see if an extension got added to the file name. Can "cd" to the directory from the Windows DOS command prompt then do a "dir" to list the files in the directory.

4) If the "addstore" worked OK then open your Windows Settings. In the "Find a setting" box enter "certificates" then click "Manage user certificates". Double-click the "Personal" folder then the "Certificates" folder.

5) Next run the certificate export wizard for each of the two personal certificates with the common name and in the issuer name. 

First double-click on one of the two user certificates. In the "Certificate" window click the "Details" tab, then "Copy to File" to start the export wizard.

When you see the format selection pick PKCS#7 (P7B) and select "Include all certificates in the certification path if possible".

The window after that will require to enter the file name of the PKCS#7 export file. Pick a different name for each of the two user certificates. Once the first export completes go back and repeat the process for the second user certificate.

6) Once exported both of the personal certificates use FTP to do a binary transfer of the two PKCS#7 files from Windows to z/OS.

7) In the ACF command issue a CHKCERT command against each file. Specify the CHAIN operand of CHKCERT to display all the certificates in the PKCS#7 file.

8) If the CHKCERT looks good then issue your INSERT command to insert the PKCS#7 files.