ACF0A005 and ACF68064 errors when exporting certificates in ACF2
search cancel

ACF0A005 and ACF68064 errors when exporting certificates in ACF2

book

Article ID: 201362

calendar_today

Updated On: 10-11-2023

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

When exporting a PKCS12DER format certificate in ACF2 the following error occurs:

?  l catest.cert2
CERTDATA / CATEST.CERT2 LAST CHANGED BY USER01 ON 10/09/20-12:52
                     ISSUERDN(CN=HOSTNAME.DC=ABCD)
                     LABEL(catest sha2)
                     SERIAL#(12345678910) SUBJDN(E=testttc@email.com.CN=catest.OU=broadcom
                     .O=CITY.L=Location.ST=IL.C=US) TRUST        
Certificate is not connected to any key rings                                 
?  export catest.cert2 dsn(catest.cert2) format(pkcs12der) pass(mypass) 
ACF0A005 RECORD(S) NOT FOUND                                                   
ACF68064 An EXPORT for PKCS12 format requires a certificate with a non-ICSF  private key
?            

Environment

  • Release : 16.0
  • Component : MAINFRAME DOCUMENTATION

Cause

The ACF0A005 and ACF68064 errors occur because the certificate CATEST.CERT2 does not have a private key. This can be determined by output from the LIST CATEST.CERT2 which does not show a KEYSIZE(xxxx) parameter. The FORMAT(pkcs12der) is used to export a certificate and its private key to a file that is password protected. Since certificate CATEST.CERT2 does not have a private key, the ACF0A005 and ACF68064 errors occur.

For example, for the two certificates below USER002.SMPE does not have a private key and USER002.CERT1 does have a private key.

Without Private Key

CERTDATA / USER002.SMPE LAST CHANGED BY USER002 ON 09/22/20-12:00             
                     ISSUERDN(CN=CA Receive Order.OU=CA Receive Order)        
                     LABEL(USER002.SMPE) SERIAL#(12345678910) SUBJDN(CN=connectUs
                     erId:user02 siteID:xxxxxxx sapID:xxxxx.OU=CA.O=CA Inc.L=I
                     slandia.ST=NewYork.C=USA) TRUST


With Private Key

CERTDATA / USER002.CERT1 LAST CHANGED BY USER002 ON 09/22/20-12:00            
                     CERTNSER(0000000000000005) ISSUERDN(CN=TESTCA.OU
                     =Auditing Department.O=Company Name.C=US) KEYSIZE(2,048)
                     LABEL(TEST CA) SERIAL#(00) SUBJDN(CN=TESTCA.OU
                     =Auditing Department.O=Company Name.C=US) TRUST

Resolution

To address the errors, change the FORMAT of the EXPORT to a format that is not a PKCS12 format (PKCS12DER or PKCS12B64), such as PKCS7DER or PKCS7B64. Or, if certificate CATEST.CERT2 should have a private key, determine how or why the private key was lost.

Powered by Wolken Software