When TSS EXPORTing, the client certificate in one of the PKC12 formats, 3 certificates are added to the certificate, but there are only two in the certificate chain. 

Release : 16.0

Component : CA Top Secret for z/OS

TSS LISTed the client certificate and chased down the certificate chain.

TSS LISTed the client and it was signed by a root certificate.

TSS LISTed the root certificate and it was signed by another root certificate.

So, this particular certificate chain contains 3 certificates and not just 2.

The certificate package built by the TSS EXPORT with FORMAT(PKC12xxxxxxx) will include the entire certificate chain and was built correctly.

The DIGICERT name and LABLECERT names on the TSS ADD command will be picked up for the client certificate.

The root certificates in the dataset will be added to the security file with AUTOxxxxx generated certificate name.

To avoid AUTOxxxxx generated DIGICERT names, EXPORT the root certificates one at a time and add them to the destination system with the desired DIGICERT name and LABLCERT names.

Client certificate should be added to the security file last. The roots in the certificate package wont be added with the AUTOxxxxx generated names because they are already on the security file.