We are using the TKE to load the certificate, and with ICSF on zOS, there is no CSNDPIM verbs. So I don't know exactly how the TKE is able to load the certificate on the host crypto module.
The primary and secondary sub CA don't have an extended extension for Key usage. We will probably do the validation manually for our certificate before using TR34 verbs.
Original Message:
Sent: Wed October 11, 2023 05:59 AM
From: Richard Kisley
Subject: Loading X.509 certificate on TKE
The certificate chain in the card is limited to 1 level. Therefore the certificate that should be loaded with CSNDPIM:LOADROOT is the certificate for the private key that signed the operational end entity certificates that will be used in the TR-34 process, probably the sub-CA certificate.
The root certificate that "root_BC_and_KU" shows only the Basic Constraints extension, with Boolean cA set to true. If that certificate has no KeyUsage extension then CCA will not load it, CCA will return 8/x375 "The X.509 certificate presented has an invalid, or missing KeyUsage extension."
Note: you probably don't need to load that one.
That case is the only one that matches the data I can see in the certificates.
The "primSubCA_BC_and_KU" certificate shows both a Basic Constraints extension with cA true and pathLenConstraint value and a KeyUsage extension with Certificate Sign, CRL Sign. That looks ok.
Though if there is an extendedKeyUsage extension it is possible to have 8/x3A2 returned if the extended key usages are not consistent with the KeyUsage bits.
The certificate validation is complex and depends on the validation rule ( RFC-2459, RFC-3280, RFC-5280, RFC-ANY ) that was specified.
Please share which rule was used, if you tried to load both separately and both failed.
The CSNDPIM:VAL-CERT rule is only expected to be used for end entity certificates whose issuer certificate has already been loaded ( via CSNDPIM ), sending a CA certificate will always generate an error.
Further note:
openssl x509 -in cert.pem -noout -text
does a better job of formatting x.509 certificates than
openssl asn1parse -in cert.pem -inform PEM -i
------------------------------
Richard Kisley
Original Message:
Sent: Fri October 06, 2023 10:23 AM
From: Martin Provost
Subject: Loading X.509 certificate on TKE
Any update on this question ?
We did another test. When we select "Validation Certificate" on the Root, we have the message
« Certificate presented to use as an end entity has a true value for CA in basic constraints certificate extension. »
and RC=8, Reason =941.
If we try to load the root, we have « The x.509 certificate presented has an invalid, or missing keyUsage extension ».
if we try to load the Subca we have « Error in certificate processing. Required certificate extension is missing »
Do you have some documentation on what are the required extensions for the x509 certificate ?
------------------------------
Martin Provost
Original Message:
Sent: Tue September 19, 2023 11:55 AM
From: Martin Provost
Subject: Loading X.509 certificate on TKE
We are trying to load in the host crypto adaptor root and sub ca certificate from a major ATM provider on the TKE. The plan is to use them in TR34 to do Key loading on our ATM.
The certificates are rejected with "The input certificate has an invalid or missing KeyUsage extension". If we try the Validate function, we receive an invalid certificate message.
What is the recommended format ? PEM or DER ?
We cannot change those certificates, they are used to sign all EPP from this provider. If we print the certificate with OPENSSL or load them in the Window certificate utility, we don't have any issue. I have included a copy of the basic constraint and the key usage from the OpenSSL ASN.1 text output.
We have the same error on a z16/CEXC8 and a z15/CEXC7. Version is HCR77D1. CCA is at 7.4.31z on the z15 and 8.0.71z on the z16.
Any idea on how to handle this ?
------------------------------
Martin Provost
------------------------------