How can I determine a certificate's CA signing chain of certificates?
The ACF2 CHKCERT command with the CHAIN parameter can be used to display the certificate information for each certificate in the chain from the specified certificate to the highest CA signing certificate in the database.
The CHKCERT subcommand can be issued in any mode of the ACF command. It has the following syntax:
CHKcert {logonid Label(label) |logonid.suffix | DSname(data-set-name)}
[Password(password)]
[Nolist]
[Dump]
[Chain]
The CHAIN parameter instructs the command to display the certificate information for each certificate in the chain from the specified certificate to the highest CA signing certificate in the database. The parameter also applies if the DSNAME was specified instead of the record id. In that case, each certificate in the chain in the input data set is displayed.
Summary information follows the display. The summary indicates the number of certificates in the chain, an indication if the chain is complete or incomplete, and an indication if the chain contains expired or non-trusted certificates. If CHKCERT is run against a certificate in the database, the key rings that are common between all certificates in the chain are listed.
Chain Information:
- Chain contains 2 certificates
- Chain is COMPLETE
- Chain contains EXPIRED certificates
- Chain contains NOTRUST certificates
- Chain contains common ring – ring.name
If CHKCERT is run using the DSNAME parameter, another message is added to the summary when any certificate contained in the data set is not present in the CA ACF2 database. Following is the message text:
- Chain contains certificates not in the database