IKYS013I   Cannot find the private key associated with the {default | RA} certificate

Explanation

PKI Services is attempting to retrieve data from the SAF key ring specified by the KeyRing value in the SAF section of the pkiserv.conf file. The key ring specified does not appear to be set up properly. The problem is related to either the CA (default) certificate or the RA certificate, as indicated in the message. Possible problems are:
  • The certificate is not connected to the ring.
  • The certificate is incorrectly connected to the key ring. Both must have USAGE PERSONAL and the CA certificate must be the DEFAULT.
  • The certificate has no private key.
  • The user ID assigned to the PKI Services daemon has insufficient authority to read the key ring or the private key.

System action

If the problem is with the default certificate, PKI Services stops. If the problem is with the RA certificate, PKI Services continues but the Simple Certificate Enrollment Protocol (SCEP) is disabled.

System programmer response

Ensure that the SAF key ring and the certificate stored in it are correct. For more information, see Running IKYSETUP to perform RACF administration and z/OS Security Server RACF Security Administrator's Guide.

Parent topic: Messages