FTP client gets the following - FC0984 authServer: secure_socket_init failed with rc = 428 (Key entry does not contain a private key).

Keyring and certificates pairing apparently look ok. What could be wrong?

Check the KEYRING record DEFAULT. An address space acting as a client does not need a DEFAULT specified in the KEYRING record. Unless FTP is doing client verification, the client site should not be sending its personal cert (the DEFAULT) to the server. If there is a value set for the DEFAULT it will be sent to the server regardless of whether client validation has been requested.

If that certificate does not have a private key, the FC0984 authServer: secure_socket_init failed with rc = 428 will be generated.

Set the DEFAULT to null, ie, DEFAULT():

CHANGE owneracid (ringname) DEFAULT()

F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)

F ACF2,OMVS