Problem
You encounter errors when processing certificates that have been signed using GSkit because more than one certificate has the same serial number.
Cause
This error may appear, for instance, if you generate more than one certificate request using RACF (z/OS) and then sign them using GSKit (i.e. using the gsk7cmd command on Windows or Unix). By default GSKit can offer to multiple certificates the same serial number.
This means that only one of the signed certificates will be accepted by RACF – which validly treats all the signed certificates with the same serial number as the same certificate.
Resolution
GSKit was never intended as a PKI substitute. So, you should manually manage serial numbers for the certificates you sign or alternatively, sign your certificates using another SSL signing system (e.g. OpenSSL or RACF).
- To manually set serial numbers use the ‘–sernum’ runmqckm option, run these following commands : runmqckm -cert -sign -file <certreq file> -db <db file> -pw <password> -label <label> -target <cert file> -format ASCII -expire <expire days> -sernum <serial number>
In order to manually set serial numbers, you should have a serial number authority (most likely the certificate authority itself) which uses a number naming convention.