IKYP043I PKI Services CA certificate cannot be a Diffie-Hellman certificate.
Explanation
An elliptic curve cryptography (ECC) certificate with only the keyAgreement keyUsage bit set, or with the keyAgreement bit set with either encipherOnly or decipherOnly set, is an ECC Diffie-Hellman certificate. Its intended usage is for key exchange, not for signing. Therefore, a CA certificate cannot be of this type.
System action
PKI Services stops.
System programmer response
Make sure that the key ring specified in the SAF section of the PKI Services configuration file (pkiserv.conf) contains a CA certificate that is not an ECC Diffie-Hellman certificate.