After inserting a renewed client certificate into ACF2, connecting and rebuilding the keyring in ACF2, and performing an SSL refresh in Connect:Direct, the following error is seen when trying to test the new certificate:

CSPA202E SSL handshake failure, reason=Internal error reported by     
CSPA202E remote partner    

Release : 16.0

Component : ACF2 for z/OS

On the INSERT of the renewed certificate signed by a 3rd party CA, the LABEL was changed in ACF2, but not on Connect:Direct. After changing the label back to what it was before the INSERT with the NEWLABEL parameter, and performing an SSL refresh on Connect:Direct, the SSL/TLS connection was allowed.

NEWLABEL examples:

SET P(USER) DIV(CERTDATA)
CHA TESTUSR LABEL(AccidentalChange) NEWLABEL(OriginalLabel)  << LABEL parameter must be specified if the record key does not have a suffix
CHA TESTUSR.CERT1 NEWLABEL(OriginalLabel)  << LABEL parameter does not need to be specified for a record key with a suffix 

F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)