The ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" error is an indication that the certificate file on z/OS is not in the correct format for a certificate. This is most likely caused by FTPing the certificate to z/OS in the wrong format. Depending on how the certificate package was created, it could be in binary format or ASCII format. You may want to trying re-FTPing the certificate in the other format ASCII/BINARY and then re-try the CHKCERT command.
ACF2 supports the INSERT of certificates in the following format:
- certificate encoded using the X.509 Distinguished Encoding Rules (DER).
- certificate encoded using the standard X.509 base-64 encoding
- certificate DER-encoded PKCS#12 certificate package
- certificate DER-encoded then base-64 encoded PKCS #12 certificate package
- certificate DER encoded PKCS 7 certificate package
- certificate base-64 encoded PKCS 7 certificate package
To correct the error:
To avoid FTP truncation, use the following FTP commands:
- Verify CERTDER, PKCS7DER, PKCS12DER format certificates are FTP'd to z/OS in BINary format RECFM VB.
- Verify CERTB64, PKCS7B64, PKCS12B64 format certificates are FTP'd to z/OS in ASCII format RECFM VB. Check for truncation of the base-64 encoded certificate by browsing the certificate from ISPF, if there is only a single line between the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” the certificate was truncated when FTP’d to z/OS.
QUOTE SITE WRAP LRECL=84 BLKSIZE=27998 RECFM=VB
PUT cert_file_name ‘z/OS dataset name’ (REPLACE