IKYP032I   PKI SERVICES DOES NOT HAVE RA CAPABILITY. SCEP PROCESSING SUSPENDED

The RA function of PKI Services requires a certificate and a private key capable of creating general purpose digital signatures and enciphering session keys, with key usage, digitalSignature, and keyEncipherment (Handshaking). Either the PKI Services CA certificate must have this capability (which is atypical) or an additional, dedicated RA certificate for PKI Services must be established. In either case, the certificate must have the proper key usage and must have an RSA private key. If a dedicated RA certificate is used, specify its label using the RALabel directive in the SAF section of the PKI Services configuration file (pkiserv.conf). The RA certificate must be assigned to the user ID of the PKI Services daemon and must be connected to the PKI Services key ring with USAGE PERSONAL and DEFAULT NO. For more information, see Enabling Simple Certificate Enrollment Protocol (SCEP). If you make changes to the PKI Services key ring to correct the problem, stop and restart PKI Services.