Obtain a DigiCert Global Root G2 Certificate for CA CSM
search cancel

Obtain a DigiCert Global Root G2 Certificate for CA CSM

book

Article ID: 203759

calendar_today

Updated On:

Products

CHORUS SOFTWARE MANAGER

Issue/Introduction

As a systems programmer, ensure that you have a DigiCert Global Root G2 certificate in your Java TrustStore before the 19th of January, 2021. You need to have a DigiCert Global Root G2 certificate to be able to acquire PTFs and process your maintenance, using CA Chorus Software Manager. GoDaddy certificates expire on the above-said date.

Resolution

Add a DigiCert Global Root G2 certificate to Java TrustStore

Use the instructions in this article to add a DigiCert certificate to Java TrustStore that is used by CA CSM.
Latest versions of Java 8 could already contain the needed certificate. See: JAVA Version Change Impact to MSM

Note: You can add a DigiCert certificate any time before the due date.

Verify your current SSL Certificate

Use Java keytool command to verify whether you have an up-to-date certificate in your Java TrustStore. If you do, no further actions are required. If not, follow the instruction below.

How to verify:
Note: Replace <Java location>/lib/security/cacerts with your current Java TrustStore location.
Run the following Unix command: keytool -list -keystore <Java location>/lib/security/cacerts | grep DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
Default password for the TrustStore is "changeit"
Empty output means that the certificate is not in TrustStore and it has to be downloaded and added to Java TrustStore.
If the certificate is present in TrustStore, you should see similar output and no further action is needed:
Certificate fingerprint (SHA1): DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4

Download a DigiCert Global Root G2 Certificate

CA Chorus Software Manager uses a DigiCert Certificate Authority (CA) certificate to acquire PTFs and process your maintenance. Download the DigiCert Global Root G2 certificate.

Follow these steps: 
1. Download the DigiCert Global Root G2 certificate.
2. Note the location of the file on your workstation where the certificate was downloaded.

Upload the Certificates to z/OS and add it to Java TrustStore

Related article: How to configure CSM to add new certificates as trusted without modifying the cacerts file that comes with each Java SDK?

Follow these steps:
1. Upload the certificate as to your z/OS USS file system (You can use FTP in binary mode).

2. Add the certificate to your Java TrustStore.
Note: Replace <Java location>/lib/security/cacerts with your current Java TrustStore location.
Run following command: keytool -import -alias digicertglobalrootg2 -keystore <Java location>/lib/security/cacerts -storepass changeit -file <uploaded certificate location>
When asked if to trust to this certificate, choose yes.

3. Go to "Verify your current SSL Certificate" section in this article and verify that the certificate is present.

4. Restart CA CSM.