Kevin; First, thanks for responding! Our Certificate Generating group sent a certificate chain consisting of a root CA, an intermediate CA signed by the root CA, and a user/server certificate signed by the intermediate CA. The package was sent in PKCS12 format (.pfx) and also in PEM format (text). The PEM format had three public key certificates followed by a private key segment (bounded by "Begin encrypted private key" and "End encrypted private key"); CA-TOP SECRET was not able to handle the private key segment. However, when I uploaded the '.pfx' file in BINARY, CATSS was able to successfully load the certificates into the Database and apply the private keys. I attached the certificates to the appropriate key rings and was able to get the Liberty server to start under the hosting CICS region. (so far, so good!) Where I ran into an issue was with the public key certificate. I extracted the public key certificate for the intermediate CA for use in the web browser, but that produced an "invalid signature" message on the logon page in the web browser. I exported the public key certificate using the default CATSS format (CERTDER, I think?), then imported the resulting PEM file into either the Microsoft Certificate Vault, or the browser's certificate repository. Note that when I used this same procedure with CATSS-generated certificates, the user was able to log into the CICS application from the web browser with no issues.
So perhaps I am approaching this incorrectly, from what you have mentioned. I am working under the assumption that the "server" should have the private key certificates, and the "client" the public key certificates, and that is how I set up the third party certificate chain. If that is not going to work, what would be a better approach?