Why does a CHKCERT fail with message "ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" ?

Document ID : KB000014470
Last Modified Date : 11/01/2019
Show Technical Document Details
Question:

Why does a CHKCERT fail with message "ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" ?

Answer:

The ACF68076 Unsupported KEY algorithm. Cannot CHKCERT the certificate" error is an indication that the certificate file on z/OS is not in the correct format for a certificate. This is most likely caused by FTPing the certificate to z/OS in the wrong format.  Depending on how the certificate package was created, it could be in binary format or ASCII format. You may want to trying re-FTPing the certificate in the other format ASCII/BINARY and then re-try the CHKCERT command. 

ACF2 supports the INSERT of certificates in the following format: 

- certificate encoded using the X.509 Distinguished Encoding Rules (DER).
- certificate encoded using the standard X.509 base-64 encoding
- certificate DER-encoded PKCS#12 certificate package
- certificate DER-encoded then base-64 encoded PKCS #12 certificate package
- certificate DER encoded PKCS 7 certificate package
- certificate base-64 encoded PKCS 7 certificate package 

To correct the error:

  1. Verify CERTDER, PKCS7DER, PKCS12DER format certificates are FTP'd to z/OS in BINary format RECFM VB.
  2. Verify CERTB64, PKCS7B64, PKCS12B64 format certificates are FTP'd to z/OS in ASCII format RECFM VB. Check for truncation of the base-64 encoded certificate by browsing the certificate from ISPF, if there is only a single line between the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” the certificate was truncated when FTP’d to z/OS. 
           To avoid FTP truncation, use the following FTP commands:

            ASCII
            QUOTE SITE WRAP LRECL=84 BLKSIZE=27998 RECFM=VB
            PUT cert_file_name ‘z/OS dataset name’ (REPLACE
            quit