ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACF2 CHKCERT shows certificate key usage is blank after INSERTing signed certificate

book

Article ID: 228184

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

When using an ACF2 GENCERT command to create a new certificate, the KEYUSAGE(HANDSHAKE) is specified. After receiving the signed certificate back from the CA and INSERTing it, a CHKCERT command shows nothing on the KEY USAGE section.  Why does it not show HANDSHAKE?

Resolution

Specifying a Key Usage of HANDSHAKE sets the digitalSignature and keyEncipherment bits in the keyUsage extension. The CA has the ability to change these settings. If one of those bits is not specified on the signed certificate, the certificate is no longer valid for a key usage of HANDSHAKE and the Key Usage field on the CHKCERT is blank. Running the SAFCRRPT report with the EXT parameter will reveal what bits are set. The CA that signed the certificate will need to be notified that the bit is required and a new signed certificate will need to be issued.

Note: If the certificate is GENCERTed using the DSA, NISTECC, or BPECC key word, only digitalSignature is set for this usage. Only the digitalSignature bit is set because the keys cannot be used for encryption.