Could you describe what you mean by "updated" a certificate? If it was externally signed by Digicert, did you load in a PKCS#7 format, or just the signed cert itself? Did you generate new public-private key pair and a CSR from it (GENCERT, GENREQ) to be able to get it signed by Digicert, and then update (ADD) it back in to the same label? Before you started, did you already have both the older and newer intermediate certs installed in RACF as CERTAUTH, or just the older one?
The circumstances you started with, just before you did the "update", and how you did the update, could provide the explanation as to what you saw happen, but there may be different explanations depending on your path. Let us know please. Thanks.
------------------------------
Scott Tietjen CISSP
------------------------------
Original Message:
Sent: Wed May 19, 2021 12:06 PM
From: Richard Klatt
Subject: DIGITAL CERTIFICATE QUESTIONS
RACF CERTIFICATE QUESTIONS
Recently, we updated a certificate, and we did not realize that 'under the covers' RACF changed the intermediate certificate in the chain from the older DIGICERT intermediate to the newer DIGICERT intermediate certificate. My first question is: when two intermediate (and still 'active') certificates exist in the RACF keystore, how does RACF determine which one to place in the chain?
My second question is: can we control the above if we always place the intermediate and root certificates into the keyring along with the personal certificate?
------------------------------
Richard Klatt
------------------------------