IBM Security Z Security

I have a need to alert a certificate owning group to obtain a new certificate.  I cannot get this code to work.  What am I doing wrong?

ALLOC TYPE=RACF PRIMARY ACTIVE FREE
ALLOC TYPE=CKFREEZE ACTIVE
SUPPRESS MSG=(1400,171,1220,1322,2421)
NEWLIST TYPE=RACF ,
MAILTO=RICHARD.KLATT@WISCONSIN.GOV,
FROM=DEGMAINFRAMESEC@DOA.STATE.WI.US ,
REPLYTO=DEGMAINFRAMESEC@DOA.STATE.WI.US ,
ERRORMAILTO=RICHARD.KLATT@WISCONSIN.GOV ,
MAILFONTSIZE=2 ,
DD=C2REMAIL CAPS RETAIN LL=80 ,
TT='DIGITAL CERTIFICATES FOR ABCDEF WILL EXPIRE WITHIN 21 DAYS',
ST='PLEASE PROVIDE RENEWED CERT TO BE ADDED AS ABCDEF2'
SELECT SEGMENT=CERTDATA CLASS=DIGTCERT CERTLABL='ABCDEF' ,
CERTEND<TODAY+20
SORTLIST DIGTCERT_LABEL CERTEND

------------------------------
Richard Klatt
------------------------------

Hi Richard

This is due to the way digital certificates are stored in RACF profiles.  The certificate label is stored in the USER profile associated with the certificate owner, along with the certificate name.  The DIGTCERT profile uses the certificate name as the profile key, but does not hold the certificate label value.
CARLa programs, in general, read profiles as they come along and base their SELECT/EXCLUDE decisions on the fields contained in the profile.  So when DIGTCERT comes along, the CERTLABL field is not available (MISSING) and no decision can be made on its contents.
However, when a USER profile comes along, CERTLABL is available (EXISTS) and can be used for SELECT/EXCLUDE.
This issue has been with us for over 10 years.  In zSecure 2.4, with the December 2020 SSE, the information about certificates has been combined into a new NEWLIST TYPE, though RA.5.1 has not been updated to use this.  I think this will do what you need:

n type=certificate
s certlabl='ABCDEF' CERTEND<TODAY+20
sortlist certlabl certend

------------------------------
Rob van Hoboken
------------------------------