z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IKYP043I

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

IKYP043I
PKI Services CA certificate cannot be a Diffie-Hellman certificate.

Explanation

An elliptic curve cryptography (ECC) certificate with only the keyAgreement keyUsage bit set, or with the keyAgreement bit set with either encipherOnly or decipherOnly set, is an ECC Diffie-Hellman certificate. Its intended usage is for key exchange, not for signing. Therefore, a CA certificate cannot be of this type.

System action

PKI Services stops.

System programmer response

Make sure that the key ring specified in the SAF section of the PKI Services configuration file (pkiserv.conf) contains a CA certificate that is not an ECC Diffie-Hellman certificate.

Parent topic: Messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014