Why does a CHKCERT fail with message "ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" ?

Release: 16.0
Component: ACF2MS

The first thing to check is if ACF2 PTF SO05363 is applied. If the PTF is applied verify the following.

The ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" error is an indication that the certificate file on z/OS is not in the correct format for a certificate. This is most likely caused by FTPing the certificate to z/OS in the wrong format.  Depending on how the certificate package was created, it could be in binary format or ASCII format. You may want to trying re-FTPing the certificate in the other format ASCII/BINARY and then re-try the CHKCERT command. 

ACF2 supports the INSERT of certificates in the following format: 

- certificate encoded using the X.509 Distinguished Encoding Rules (DER).
- certificate encoded using the standard X.509 base-64 encoding
- certificate DER-encoded PKCS#12 certificate package
- certificate DER-encoded then base-64 encoded PKCS #12 certificate package
- certificate DER encoded PKCS 7 certificate package
- certificate base-64 encoded PKCS 7 certificate package 

To correct the error:

1. Verify CERTDER, PKCS7DER, PKCS12DER format certificates are FTP'd to z/OS in BINary format RECFM VB.
2. Verify CERTB64, PKCS7B64, PKCS12B64 format certificates are FTP'd to z/OS in ASCII format RECFM VB. Check for truncation of the base-64 encoded certificate by browsing the certificate from ISPF, if there is only a single line between the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” the certificate was truncated when FTP’d to z/OS. 

           To avoid FTP truncation, use the following FTP commands:

            ASCII
            QUOTE SITE WRAP LRECL=84 BLKSIZE=27998 RECFM=VB
            PUT cert_file_name ‘z/OS dataset name’ (REPLACE
            quit