Running CA SMP/E Receive Order getting:

GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED.
             javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:
             java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
                                                           
GIM20501I    RECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12.  

The Broadcom CA SMP/E Receive Order server certificate that expired on Friday, February 5, 2021 at 11:30 PM EST.
For SMP/E to authenticate this new renewed Broadcom Order server certificate, a new Digicert Global Root G2 certificate is required.
Existing customers who use SMP/E Receive Order to acquire maintenance will need to download,
install and CONNECT this new Digicert Global Root G2 certificate to their existing SMP/E keyring.
            

If you are using CA SMP/E Receive Order to acquire maintenance, you will need to obtain a new certificate .
  The new certificate can be added to your existing keyring.  
Use the following instructions to obtain the new certificate and update your keyring within your external
security manager (CA ACF2, CA Top Secret, or IBM RACF).

INSTRUCTIONS:

Use the following instructions to download the new Digicert Global Root G2 certificate: 

1. Download the NEW certificate from https://support.broadcom.com/cadocs/0/certs/eapi/digi-root.crt.

2. Upload the new certificate as text data to your z/OS data set allocated as RECFM=VB and LRECL>=84 format.    If you use FTP, use the following commands to avoid truncation:

3. The keyring will now require three certificates which include:

   (NEW) Root Digicert
   (Existing) Intermediate Digicert 
   (Existing) Broadcom user Certificate.  

4. For details on downloading certificates and using CA ACF2, CA Top Secret, or IBM RACF to add the new certificate to the keyring.  

• Obtain the Certificates for CA SMP/E Internet Service Retrieval.
• Configure CA ACF2 Security
• Configure CA Top Secret Security
• Configure IBM RACF Security

If you have any questions about this Critical Alert, please contact Broadcom Support.

Note: The certificates in the keyring are not related to each other.
There are two separate server certificates and one user certificate - they are not in a chain.
Note that the user certificate must be connected to the keyring as usage=certauth.