I notice your cert display did not list a "Key Usage" section. X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment
Digital Signature and Data Encipherment are defaults, but KeY Encipherment does not default and needs to be specified in Key Usage. X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate 82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E > Sent: Tuesday, November 07, 2017 at 10:40 AM > From: "Charles Mills" <charl...@mcn.org> > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > That could be another thread "most useless diagnostic ever." > > Right, that is the API call (apparently) that failed, but I don't think one > knows that just from the error message. As I said, I got the same error > message for presenting a certificate with a SHA-1 digest (I think). > Presumably a different CMS API call but the same external message. Different > action for the user. > > I display certificates all the time. My script that issues OpenSSL > certificates displays them at the end. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Kirk Wolf > Sent: Tuesday, November 7, 2017 8:07 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > Its not the worst diagnostic situation that I have seen on z/OS ( that award > would go to the C-library OS I/O stuff IMO). > > In this case, the external API that failed is gsk_decode_import_key(), and if > you look it up the error that you are getting is documented: > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm > > The algorithm codes can be found in /usr/include gskcms.h > x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > PS> If you want some "fun", take you X.509 cert and load it into a > PS> ASN.1 > tool that displays the whole ugly thing > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN