Walt, Thanks for your response. We read something similar about DSA not being usable for SSL encryption.
We have gotten further info from CA. It seems like I left something out of my post that was relevant. We are still running z/OS 1.9. It seems that with z/OS 1.9 the max keysize is 1024 without the PCI crypto card. See the RACF manual from z/OS 1.9 http://publibz.boulder.ibm.com/epubs/pdf/ichza480.pdf page 291 for the size(keysize) parameter of RACDCERT. However with z/OS 1.10 or later the max keysize is 4096. See the RACF manual form z/OS 1.10 http://publibz.boulder.ibm.com/epubs/pdf/ichza490.pdf page 330 & 331 for the size(keysize) parameter of RACDCERT GENCERT. Someone suggested trying to request a certificate with 2048 bit key and RSA from another machine that supports this and trying to install that certificate in a TSS keyring on our system and then try to use it. If that doesn't work, I guess our other option is to tell our clients to tolerate an expired certificate until we can get to a new release of z/OS. -Stew ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
