Renewal of a self signed certificate, which has expired, fails with IRRD107I No Matching Certificate Found For This User.
Either the user ID being used to renew the certificate does not have sufficient authority to complete the renewal or the signing certificate does not belong to the user ID executing the renewal.
Resolving the problem
RACF Messages and Codes provides recommended user responses to correct this error. The RACF Command Language Reference documents that you must either have the SPECIAL attribute, or sufficient authority to the IRR.DIGTCERT.ADD and IRR.DIGTCERT.GENCERT resources in the FACILITY class, based on the certificate owner and the SIGNWITH value, as shown in Table 23 at the above link. For the SIGNWITH parameter itself (within the GENCERT command) the signing certificate must belong to the user ID executing the command (or SITE or CERTAUTH must be specified). If the SITE and CERTAUTH keywords are omitted, the signing certificate owner defaults to the user ID of the command issuer.