When adding an Entrust Digital Certificate to the CA Top Secret Security File via:
TSS ADD(certauth) DIGICERT(CERTA) DCDSN(mvs.dataset) PKCSPASS(password) TRUST
command, the following error message is received:
TSS0942I INVALID CERTIFICATE DATA - PROCESSING TSS0301I ADD FUNCTION FAILED, RETURN CODE = 4
Certificates signed by the Entrust-L1B CA certificate have distinguished names that exceed the current length supported by the three major mainframe security products, to date.
The CA Top Secret product, at the proper maintenance level, currently supports up to 4096-bit RSA keys. The CA Top Secret product also supports the 2048-bit RSA keys necessary to meet the NIST requirement.
The problem is any certificate signed by the Entrust-L1B CA certificate has a serial number - issuers distinguished name combination exceeding the length supported by the three mainframe security solutions.
Customers that have obtained certificates signed by the L1B CA certificate should contact Entrust and obtain a chain certificate that complies with the current constraints set by the external security managers on z/OS (currently 246 for the serialnumber.IDN combination and 255 for the SDN). Certificates that are signed by the Entrust-L1B CA certificate cannot currently be stored in any Mainframe security product.