search cancel

ACF0A005 and ACF68064 errors when exporting certificates in ACF2

book

Article ID: 201362

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

When exporting a PKCS12DER format certificate in ACF2 the following error occurs:

?  l catest.cert2
CERTDATA / CATEST.CERT2 LAST CHANGED BY USER01 ON 10/09/20-12:52
                     ISSUERDN(CN=WERTNET-SSS-SSS.DC=dfgh)
                     LABEL(catest sha2)
                     SERIAL#(E345432372835D4892358B4539C2) SUBJDN([email protected]=catest.fdoja.flanet.OU=FLA FISA-OP
                     A.O=CITY.L=Location.ST=FL.C=US) TRUST      
Certificate is not connected to any key rings                                 
?  export catest.cert2 dsn(catest.cert2) format(pkcs12der) pass(mypass) 
ACF0A005 RECORD(S) NOT FOUND                                                   
ACF68064 An EXPORT for PKCS12 format requires a certificate with a non-ICSF  private key
?            

Cause

The ACF0A005 and ACF68064 errors occur because the certificate CATEST.CERT2 does not have a private key. This can be determined because the display output from the LIST CATEST.CERT2 does not show a KEYSIZE(xxxx). The FORMAT(pkcs12der) is used to export a certificate and it's private key to a file that is password protected. Since certificate CATEST.CERT2 does not have a private the ACF0A005 and ACF68064 errors occur.

For example, for the two certificates below USER002.SMPE does not have a private key and USER002.CERT1 does have a private key.

Without Private Key

CERTDATA / USER002.SMPE LAST CHANGED BY USER002 ON 09/22/20-12:00             
                     ISSUERDN(CN=CA Receive Order.OU=CA Receive Order)        
                     LABEL(USER002.SMPE) SERIAL#(59962442) SUBJDN(CN=connectUs
                     erId:user02 siteID:109999 sapID:44442.OU=CA.O=CA Inc.L=I
                     slandia.ST=NewYork.C=USA) TRUST


With Private Key

CERTDATA / USER002.CERT1 LAST CHANGED BY USER002 ON 09/22/20-12:00            
                     CERTNSER(0000000000000005) ISSUERDN(CN=AMSCALocalzOSCA.OU
                     =Auditing Department.O=Company Name.C=US) KEYSIZE(2,048)
                     LABEL(Equifax GeoTrust2) SERIAL#(00) SUBJDN(CN=AMSCALocal
                     zOSCA.OU=Auditing Department.O=Company Name.C=US) TRUST  

Environment

  • Release : 16.0
  • Component : MAINFRAME DOCUMENTATION

Resolution

To address the errors you can change the FORMAT of the EXPORT to a format that is not a PKCS12 format (PKCS12DER or PKCS12B64), such as PKCS7DER or PKCS7B64. Or, if certificate CATEST.CERT2 should have a private key, determine how or why the private key was lost.