ACF2 Change Certificate KEYUSAGE

book

Article ID: 207187

calendar_today

Updated On:

Products

CA ACF2 - z/OS

Issue/Introduction

Is there any ACF2 GENCERT or GENREQ option that we can specify to force a higher algorithm to be used or is that entirely up to the 3rd party Certificate Authority?   The signed certificate that was returned from the CA Authority only had the "Key Usage of HANDSHAKE" but when a CHKCERT was done prior to sending to the CA Authority the certificate specified KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) from the original GENCERT command.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Only the CA Authority can change the KEYUSAGE of a certificate. Also if a GENCERT of a certificate with a specific KEYUSAGE, followed by a GENREQ of that certificate,  and the certificate is sent to a CA Authority, the CA Authority can change the KEYUSAGE on that certificate. If a site signs their own certificates rather than relying on an external CA Authority the site has the ability to change the KEYUSAGE using the ACF2 GENCERT and RENEW commands.