PKA Key Token Change (CSNDKTC)
The PKA Key Token Change verb changes PKA key tokens (RSA, ECC, or PQC) or trusted block key tokens from encipherment under the old ASYM or APKA master key to encipherment under the current ASYM or APKA master key.
- For RSA key tokens - Key tokens must be private internal PKA key tokens in order to be changed by this verb. PKA private keys encrypted under the Key Management Master Key (KMMK) cannot be re-enciphered using this services unless the KMMK has the same value as the Signature Master Key (SMK).
- For trusted block key tokens - Trusted block key tokens must be internal.
- For ECC key tokens - Key tokens must be private internal ECC key tokens encrypted under the APKA-MK.
- For PQC key tokens - Key tokens must be private internal PQC key tokens encrypted under the APKA master key. PQC key tokens include: pure and pre-hash ML-DSA, ML-KEM, CRYSTALS-Dilithium, and CRYSTALS-Kyber.
This verb does not need to document any Restrictions.