Going back to the first message... I'm getting this trying to use a self-signed certificate. I put it into gskkyman and when I try to connect (outbound from z/OS) I get
Certificate validation error from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows: 09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later(): *Basic Constraints extension must be critical for CA Certificate* For my CA with OPENSSL I have openssl-ca.cnf file with [ req_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always ! issuer:alwaysz *basicConstraints = critical,CA:TRUE, pathlen:0* keyUsage = keyCertSign, digitalSignature,cRLSign It looks like you may not have this, On Linux I use openssl x509 -in cs256.pem -text -noout|less and it gives me X509v3 extensions: X509v3 Subject Key Identifier: 58:30:AF:55:C7: X509v3 Authority Key Identifier: keyid:58:30:... *X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign* Display your certificate, and check it. Colin ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN