INSERTing a signed certificate from the Certificate Authority into the ACF2 database for a GENREQed certificate results in the following message:

ACF0A026 RECORD ALREADY EXISTS

Release : 16.0

Component : CA ACF2 for z/OS

The newly signed certificate has a different public key than the certificate that was GENREQed. The public keys and record ids must match in order for the certificate to be INSERTed for the GENREQed certificate. The resolution is to re-GENREQ the certificate to have it re-signed or request a new certificate from the Certificate Authority.

To verify whether or not the public keys match, complete the following steps:

1. Run the SAFCRRPT report for the certificate in the database with the following parameters. Be sure to replace logonid.suffix with the recordid of the certificate in the database.                                                                                         

//SYSIN DD *                                                                                                                        
RECORDID(logonid.suffix) DETAIL 

The SAFCRRPT report will provide a listing of the certificate's public key in HEX:

Record id - USER1.CERT1                Signed by:  None - Self-Signed
          Label           USER1.CERT1                                
          Serial #  -     00                                         
          Issuer  DN -    CN=USER1TEST.OU=MyCo.C=US                  
          Subject DN -    CN=USER1TEST.OU=MyCo.C=US                  
          Active Date     2021/10/06                                 
          Expire Date     2035/12/30                                 
          Pvt Key Size    2048  RSA                                  
          Algorithm       sha256WithRSAEncryption                    
          Trusted         Yes                                        
          Cert Length     0344                                       
          Public Key      0000  30820122 300D0609 2A864886 F70D0101  
                          0010  01050003 82010F00 3082010A 02820101  
                          0020  00D024EC DC644CE4 62A11436 A7B5D3FA  
                          0030  D2FCBB22 AB61C12B 64F32575 664B66E3  
                          0040  187848DC 9E1CEBD7 4F84F9A6 04881014  
                          0050  B51FA6FC 9FD33AD7 E3C038AF F978536D  
                          0060  D309029F C0D0DE85 6AF237A7 B468F314  
                          0070  3C5F9CF9 7376F9AF F3892667 DE13FAB2  
                          0080  DF607AED 4ABDB301 809BBAE3 92872177  
                          0090  F776CD9F D5BD8824 313F551F 6A668AA1  
                          00A0  FD901E0C 0EAEA552 9F7514ED EC3CB9A0  
                          00B0  35DEF582 686F3461 FC843591 22BDC67F  
                          00C0  665F59D9 2699BEB9 6596A02B 792F0A72  
                          00D0  0E7886A0 F7D4ED06 5C157CD2 36953CA9  
                          00E0  2F17A314 DEB1C602 460624CD 3E2F4AEB  
                          00F0  546FB9E0 159950B7 158E8A9D BF4A246E  
                          0100  AE1AC249 D1824902 32A0E198 CF03499A  
                          0110  5C7F2ECE 85F86DE2 B34A7D42 7D4A04A6  
                          0120  75020301 0001                        

2. If the signed certificate is able to be inserted in a different ACF2 database, then the SAFCRRPT can be ran against it to verify the public key of the signed certificate. This makes the comparison of the public key output much easier. If this is not possible, then a CHKCERT DUMP can be issued on the signed certificate in a dataset. The majority of the time, but not always, the public key starts with x'308201' and ends with x'010001' as seen in the SAFCRRPT listing above. Look for those HEX characters in the CHKCERT DUMP output to determine where the public key begins and ends:

CHKCERT DSNAME('dsname') DUMP

Certificate:                                                      
    0000  30820340 30820228 A0030201 02020100  *0..@0..(........* 
    0010  300D0609 2A864886 F70D0101 0B050030  *0...*.H........0* 
    0020  30310B30 09060355 04061302 5553310D  *01.0...U....US1.* 
    0030  300B0603 55040B13 044D7943 6F311230  *0...U....MyCo1.0* 
    0040  10060355 04031309 55534552 31544553  *...U....USER1TES* 
    0050  54301E17 0D323131 30313130 30303030  *T0...21101100000* 
    0060  305A170D 32323130 31313233 35393539  *0Z..221011235959* 
    0070  5A303031 0B300906 03550406 13025553  *Z001.0...U....US* 
    0080  310D300B 06035504 0B13044D 79436F31  *1.0...U....MyCo1* 
    0090  12301006 03550403 13095553 45523154  *.0...U....USER1T* 
    00A0  45535430 82012230 0D06092A 864886F7  *EST0.."0...*.H..* 
    00B0  0D010101 05000382 010F0030 82010A02  *...........0....* 
    00C0  82010100 CA6FFDC8 9B9A201E 9280D3E9  *.....o.... .....* 
    00D0  1FC3DFBC 5C7276E0 AC4FEB18 ED45D52B  *....\rv..O...E.+* 
    00E0  08694668 279742AB 8B9F8836 4492C143  *.iFh'.B....6D..C* 
    00F0  C3575D0B CFD69E1D A98C5069 299CCA36  *.W........Pi)..6* 
    0100  D29FB190 B5E5EFA3 024DB0CC 58067795  *.........M..X.w.* 
    0110  974B7752 5A3C8DE0 4D582859 EB12D54E  *.KwRZ<..MX(Y...N* 
    0120  04B5527D D3553D57 84ECC7C9 86131672  *..R}.U=W.......r* 
    0130  ED37D3AE 5AB44523 A7C63D71 77936AA0  *.7..Z.E#..=qw.j.* 
    0140  E6085B52 E0F0F223 E6D382CA 698E7170  *...R...#....i.qp* 
    0150  9C43E9F7 CC648DAD EC30DBE0 8585DE01  *.C...d...0......* 
    0160  561C5C21 132453FC 14F046A2 A9AA02A1  *V.\!.$S...F.....* 
    0170  7D76A07E D49E2FC2 5D326331 4A75906F  *}v.~../..2c1Ju.o* 
    0180  AA239B62 2EF36BB4 F5D53D76 26702929  *.#.b..k...=v&p))* 
    0190  806142D2 5F0A206D 32C38367 8DF6155B  *.aB._. m2..g....* 
    01A0  FD0D9534 4173F2A3 98605CC0 FE749702  *...4As...`\..t..* 
    01B0  2C533454 03187E04 B02DE327 6A7DA51E  *,S4T..~..-.'j}..* 
    01C0  E61E7A83 02030100 01A36530 63304206  *..z.......e0c0B.* 
    01D0  09608648 0186F842 010D0435 16334765  *.`.H...B...5.3Ge* 
    01E0  6E657261 74656420 62792043 41205341  *nerated by CA SA* 
    01F0  46204365 72746966 69636174 65204D61  *F Certificate Ma* 
    0200  6E616765 6D656E74 20466163 696C6974  *nagement Facilit* 
    0210  79301D06 03551D0E 04160414 FC7803D8  *y0...U.......x..* 
    0220  B7033423 9EC73313 0D3692C1 81462387  *..4#..3..6...F#.*
    0230  300D0609 2A864886 F70D0101 0B050003  *0...*.H.........*
    0240  82010100 C1953529 654D37D9 F52D9313  *......5)eM7..-..*
    0250  BBFDB3E9 265BFBAA 48A87328 250C4D77  *....&...H.s(%.Mw*
    0260  84230AC4 0043E63F 696141E4 FFF700D3  *.#...C.?iaA.....*
    0270  27D9E646 09828D9A 2AFD6A3E 96A85F7E  *'..F....*.j>.._~*
    0280  8DA079A2 55E7C60F 4E1046CA 3ED48405  *..y.U...N.F.>...*
    0290  C250BF59 DF552BC4 7818CDB6 C386BD38  *.P.Y.U+.x......8*
    02A0  481DA87D 22A5C015 530F4D27 5880CFD2  *H..}"...S.M'X...*
    02B0  D664D577 809B8027 009F6C1A 5EC00926  *.d.w...'..l.¬..&*
    02C0  145A6C7D 1608E1E8 9F366770 50C556BC  *.Zl}.....6gpP.V.*
    02D0  195542EE AFC96DA0 D9C4A598 9C435C4E  *.UB...m......C\N*
    02E0  AB033883 99482E35 B0C0862A CE2C8E8A  *..8..H.5...*.,..*
    02F0  DC477E02 3665C73F F6349153 80C6E1BE  *.G~.6e.?.4.S....*
    0300  AAC5AFF9 89B9772D 518CADD3 91FE2D66  *......w-Q.....-f*
    0310  D7CD2A3F 476E4B10 D0584DB0 514DDF91  *..*?GnK..XM.QM..*
    0320  3681D95D D7897CA6 73FA6C51 D507A90D  *6.....|.s.lQ....*
    0330  CA50AE8C 7785C13E D64244C1 63E2ECCC  *.P..w..>.BD.c...*
    0340  07485470                             *.HTp............*

After the public key has been located in the CHKCERT DUMP output, it can be compared to the output from the SAFCRRPT report. When comparing the two, the public keys do not match and therefore the certificate in the dataset will not be able to be INSERTed for the GENREQed certificate.