ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISC
Issue/Introduction
I need to get some GoDaddy certificates from their web-site for the CA Receive Order Processing but they don't get inserted from an insert command. Only The initial certificate is inserted.
Environment
The certificates referred to can be found at the GoDaddy site at https://certs.godaddy.com/repository
GoDaddy Certificate Bundles – G2 With Cross to G1, includes Root (gd_bundle-g2-g1.crt)
Resolution
The easiest way to proceed with this is to separate out the three certificates that are in the file. If you create 3 datasets with recfm=vb lrecl=84 blksize=27998 (dataset.one dataset.two and dataset.three) you can then copy each certificate into a separate dataset. The first and second are intermediate certificates - the third is a root certificate. Each certificate in the file has.. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- You can then insert each cert into the database with the following commands. ACF SET PROFILE(USER) DIV(CERTDATA) INSERT CERTAUTH.GDINT1 DSN('dataset.one') INSERT CERTAUTH.GDINT2 DSN('dataset.two') INSERT CERTAUTH.GDROOT DSN('dataset.three') END Once inserted into the database, you can then connect them to a keyring. ACF SET PROFILE(USER) DIV(KEYRING) INSERT userid.keyring RINGNAME(rcvorder.keyring) CONNECT certdata(certauth.gdint1) usage(certauth) keyring(rcvorder.keyring) CONNECT certdata(certauth.gdint2) usage(certauth) keyring(rcvorder.keyring) CONNECT certdata(certauth.gdroot) usage(certauth) keyring(rcvorder.keyring) F ACF2,REBUILD(USR),CLASS(P) F ACF2,OMVS END
Why are these certificate not inserted with one insert command? The chain is not really complete because of the active dates on each certificate. There are three certificates - if we look at each certificate we will see the cause...
certificate #2 Subject's dn CN=Go Daddy Root Certificate Authority - G2 Issuer's dn OU=Go Daddy Class 2 Certification Authority VALID FROM 2014/01/01 VALID UNTIL 2031/05/30
certificate #3 Subject's dn OU=Go Daddy Class 2 Certification Authority Issuer's dn OU=Go Daddy Class 2 Certification Authority VALID FROM 2004/06/29 VALID UNTIL 2034/06/29
certificate #2 and #3 are chained - #2 was signed by #3, #3 is self signed. certificate #1 was signed by #2 but in ACF2 we will not include any certificates on an insert or chkcert if the date is not within a valid range, That is the case is here. cert #1 is valid from 2011 but cert2 is not valid until 2014 - so we do not include the complete chain.