Is there any ACF2 GENCERT or GENREQ option that we can specify to force a higher algorithm to be used or is that entirely up to the 3rd party Certificate Authority?   The signed certificate that was returned from the CA Authority only had the "Key Usage of HANDSHAKE" but when a CHKCERT was done prior to sending to the CA Authority the certificate specified KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) from the original GENCERT command.

Release : 16.0

Component : CA ACF2 for z/OS

Only the CA Authority can change the KEYUSAGE of a certificate. Also if a GENCERT of a certificate with a specific KEYUSAGE, followed by a GENREQ of that certificate,  and the certificate is sent to a CA Authority, the CA Authority can change the KEYUSAGE on that certificate. If a site signs their own certificates rather than relying on an external CA Authority the site has the ability to change the KEYUSAGE using the ACF2 GENCERT and RENEW commands.