IKYP043I   PKI Services CA certificate cannot be a Diffie-Hellman certificate.

Explanation

An elliptic curve cryptography (ECC) certificate with only the keyAgreement keyUsage bit set, or with the keyAgreement bit set with either encipherOnly or decipherOnly set, is an ECC Diffie-Hellman certificate. Its intended usage is for key exchange, not for signing. Therefore, a CA certificate cannot be of this type.

System action

PKI Services stops.

System programmer response

Make sure that the key ring specified in the SAF section of the PKI Services configuration file (pkiserv.conf) contains a CA certificate that is not an ECC Diffie-Hellman certificate.

Parent topic: Messages