GoDaddy CA certificate chain insertion problem
Article ID: 76453
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
I need to get some GoDaddy certificates from their web-site for the CA Receive Order Processing but they don't get inserted from an insert command.
Only The initial certificate is inserted.
Only The initial certificate is inserted.
Environment
The certificates referred to can be found at the GoDaddy site at
https://certs.godaddy.com/repository
GoDaddy Certificate Bundles – G2 With Cross to G1, includes Root (gd_bundle-g2-g1.crt)
https://certs.godaddy.com/repository
GoDaddy Certificate Bundles – G2 With Cross to G1, includes Root (gd_bundle-g2-g1.crt)
Resolution
The easiest way to proceed with this is to separate out the three certificates that are in the file.
If you create 3 datasets with recfm=vb lrecl=84 blksize=27998
(dataset.one dataset.two and dataset.three) you can then copy each certificate into a separate dataset.
The first and second are intermediate certificates - the third is a root certificate.
Each certificate in the file has..
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
You can then insert each cert into the database with the following commands.
ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.GDINT1 DSN('dataset.one')
INSERT CERTAUTH.GDINT2 DSN('dataset.two')
INSERT CERTAUTH.GDROOT DSN('dataset.three')
END
Once inserted into the database, you can then connect them to a keyring.
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT userid.keyring RINGNAME(rcvorder.keyring)
CONNECT certdata(certauth.gdint1) usage(certauth) keyring(rcvorder.keyring)
CONNECT certdata(certauth.gdint2) usage(certauth) keyring(rcvorder.keyring)
CONNECT certdata(certauth.gdroot) usage(certauth) keyring(rcvorder.keyring)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS
END
Why are these certificate not inserted with one insert command?
The chain is not really complete because of the
active dates on each certificate.
There are three certificates - if we look at each
certificate we will see the cause...
certificate #1
Subject's dn CN=Go Daddy Secure Certificate Authority - G2
Issuer's dn CN=Go Daddy Root Certificate Authority - G2
VALID FROM 2011/05/03
VALID UNTIL 2031/05/03
certificate #2
Subject's dn CN=Go Daddy Root Certificate Authority - G2
Issuer's dn OU=Go Daddy Class 2 Certification Authority
VALID FROM 2014/01/01
VALID UNTIL 2031/05/30
certificate #3
Subject's dn OU=Go Daddy Class 2 Certification Authority
Issuer's dn OU=Go Daddy Class 2 Certification Authority
VALID FROM 2004/06/29
VALID UNTIL 2034/06/29
certificate #2 and #3 are chained - #2 was signed by #3, #3 is self signed.
certificate #1 was signed by #2 but in ACF2 we
will not include any certificates on an insert or
chkcert if the date is not within a valid range,
That is the case is here.
cert #1 is valid from 2011 but cert2 is not valid
until 2014 - so we do not include the complete
chain.
If you create 3 datasets with recfm=vb lrecl=84 blksize=27998
(dataset.one dataset.two and dataset.three) you can then copy each certificate into a separate dataset.
The first and second are intermediate certificates - the third is a root certificate.
Each certificate in the file has..
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
You can then insert each cert into the database with the following commands.
ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.GDINT1 DSN('dataset.one')
INSERT CERTAUTH.GDINT2 DSN('dataset.two')
INSERT CERTAUTH.GDROOT DSN('dataset.three')
END
Once inserted into the database, you can then connect them to a keyring.
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT userid.keyring RINGNAME(rcvorder.keyring)
CONNECT certdata(certauth.gdint1) usage(certauth) keyring(rcvorder.keyring)
CONNECT certdata(certauth.gdint2) usage(certauth) keyring(rcvorder.keyring)
CONNECT certdata(certauth.gdroot) usage(certauth) keyring(rcvorder.keyring)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS
END
Why are these certificate not inserted with one insert command?
The chain is not really complete because of the
active dates on each certificate.
There are three certificates - if we look at each
certificate we will see the cause...
certificate #1
Subject's dn CN=Go Daddy Secure Certificate Authority - G2
Issuer's dn CN=Go Daddy Root Certificate Authority - G2
VALID FROM 2011/05/03
VALID UNTIL 2031/05/03
certificate #2
Subject's dn CN=Go Daddy Root Certificate Authority - G2
Issuer's dn OU=Go Daddy Class 2 Certification Authority
VALID FROM 2014/01/01
VALID UNTIL 2031/05/30
certificate #3
Subject's dn OU=Go Daddy Class 2 Certification Authority
Issuer's dn OU=Go Daddy Class 2 Certification Authority
VALID FROM 2004/06/29
VALID UNTIL 2034/06/29
certificate #2 and #3 are chained - #2 was signed by #3, #3 is self signed.
certificate #1 was signed by #2 but in ACF2 we
will not include any certificates on an insert or
chkcert if the date is not within a valid range,
That is the case is here.
cert #1 is valid from 2011 but cert2 is not valid
until 2014 - so we do not include the complete
chain.
Feedback
Yes
No
Powered by
