Adding Certificates signed by the Entrust-L1B CA certificate result in:
TSS0942I INVALID CERTIFICATE DATA - PROCESSING.
TSS0301I ADD FUNCTION FAILED, RETURN CODE = 4
The ROOT certificate can be added without a problem.
Certificates signed by the Entrust-L1B CA certificate have distinguished names that exceed the current length supported by the three major mainframe security products, to date.
The CA Top Secret product, at the proper maintenance level, currently supports up to 4096-bit RSA keys.
The CA Top Secret product also supports the 2048-bit RSA keys necessary to meet the NIST requirement.
The problem is any certificate signed by the Entrust-L1B CA certificate has a serial number - issuers distinguished name combination exceeding the length supported by the three mainframe security solutions.
Customers that have obtained certificates signed by the L1B CA certificate should contact Entrust and obtain a chain certificate that complies with the current constraints set by the external security managers on z/OS (currently 246 for the serial number-IDN combination and 255 for the SDN). Certificates that are signed by the Entrust-L1B CA certificate cannot currently be stored in any Mainframe security product.
Top Secret is currently looking into increasing the supported length of the serial number-IDN combination.