New Digicert Intermediate CA certificate for Broadcom RECEIVE ORDER and FTPS

Products

Common Services Common Components and Services for z/OS

Issue/Introduction

Use the following instructions to renew the Digicert Intermediate CA certificate (Broadcom Download Server certificate). The Digicert Intermediate CA certificate must be renewed by Friday, March 27, 2026.

These instructions apply to customers using:

SMP/E Internet Service Retrieval (RECEIVE ORDER)
FTP with SSL to transfer files (also called FTPS)

Resolution

To ensure uninterrupted service before the existing certificate expires, complete the following steps to download and connect the new Digicert Intermediate CA certificate (Broadcom Download Server certificate) for SMP/E Internet Service Retrieval and FTP with SSL to transfer files:

Download the new Digicert Intermediate CA certificate.
Upload the new Digicert Intermediate CA certificate to z/OS.
Add the new Digicert Intermediate CA certificate.
Remove the old Digicert Intermediate CA certificate (after Friday, March 27, 2026).

Download the new Digicert Intermediate CA Certificate

Select the following link to download the new Broadcom Download Server certificate (CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1) serial number 0cf5bd062b5602f47ab8502c23ccf066:

https://ftpdocs.broadcom.com/cadocs/0/certs/digi-inter-new/DigiCert-G2-Inter.crt

This certificate will replace the old Digicert Intermediate CA certificate on Friday, March 27, 2026.

Note: For RECEIVE ORDER, you can continue to use your existing User and Root certificates. You are not required to download new User and Root certificates.

Note the location of the file on your workstation.

Upload the new Digicert Intermediate CA Certificate to z/OS

Upload the server certificate that you saved to your workstation to z/OS.

Upload the new Digicert Intermediate CA certificate as text data to your z/OS system in RECFM=VB and LRECL>=84 format. For example, LRECL=84, LRECL=256, and LRECL=512 are acceptable.

Note: When uploading the certificate, specify the WRAP parameter so that the data is wrapped to the next record when no new line character is encountered before the logical record length of the receiving file is reached.

If you use FTP, use the following FTP commands to avoid truncation:

ASCII
QUOTE SITE WRAP LRECL=84 RECFM=VB
PUT cert_file_name 'your.zos.dataset.name' (REPLACE

The new Digicert Intermediate CA certificate is transferred to z/OS.

Add the new Digicert Intermediate CA Certificate to the Keyring

Configure your External Security Manager (ESM) ACF2, Top Secret, or IBM RACF to add the new Digicert Intermediate CA certificate to the keyring for SMP/E Receive Order and FTP with SSL to transfer files.

Configure ACF2 Security

Add the new Digicert Intermediate CA certificate:
```
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.yourcertname DSN('your.zos.dataset.name') -
LABEL(yourlabeldescription)   
```
Note: After entering this command, if you receive a message indicating that this certificate was already added, continue to the next step.
Connect the new Digicert Intermediate CA certificate to your keyring:

SET PROFILE(USER) DIV(KEYRING)
PROFILE
CONNECT CERTDATA(CERTAUTH.yournewDigicertIntermediateCAcertname) KEYRING(user1.ring) -
USAGE(CERTAUTH)

Configure Top Secret Security

Add the new Digicert Intermediate CA certificate:
```
TSS ADD(CERTAUTH) DIGICERT(yournewDigicertIntermediateCAcertname) LABLCERT(yourlabelname) - 
DCDSN('your.zos.dataset.name') TRUST
```
Note: After entering this command, if you receive a message indicating that this certificate was already added, continue to the next step.

Connect the new Digicert Intermediate CA certificate to your keyring:

TSS ADD(user1) KEYRING(yourRingName) RINGDATA(CERTAUTH,yournewDigicertIntermediateCAcertname) -
USAGE(CERTAUTH)

Configure IBM RACF Security

Add the new Digicert Intermediate CA certificate:
```
RACDCERT CERTAUTH ADD('your.zos.dataset.name') +
WITHLABEL('your new Digicert Intermediate CA label') TRUST  
```
Note: After entering this command, if you receive a message indicating that this certificate was already added, continue to the next step.
Connect the new Digicert Intermediate CA certificate to your keyring:

RACDCERT ID(ring-owner) CONNECT( CERTAUTH LABEL('your new Digicert Intermediate CA certificate label') +
RING(keyringname) USAGE(CERTAUTH) )

When these steps are completed, you have renewed the Broadcom Download Server (Digicert Intermediate CA ) certificate. You can remove the old Digicert Intermediate CA certificate after Friday, March 27, 2026.

Remove the Old Digicert Intermediate CA Certificate

When the old Digicert Immediate CA certificate expires, you can remove it from your ACF2, Top Secret, or IBM RACF database. Do not complete this step until after Friday, March 27, 2026.

For ACF2, specify:

ACF
SET PROFILE(USER) DIV(CERTDATA)
REMOVE CERTDATA(userid1.suffix) KEYRING(userid2.suffix) RINGNAME(ringname)

For Top Secret, specify:

TSS REMOVE(owningacid) KEYRING(keyring) RINGDATA(CERTAUTH,digicert)

For IBM RACF, specify:

RACDCERT REMOVE(CERTAUTH LABEL('label-name') RING(ringname))