IRRD207I

Explanation
Either you attempted to request a PKI Services
digital certificate using the R_PKIServ callable service GENCERT or
REQCERT functions or you attempted to modify an existing certificate
request using the R_PKIServ callable service MODIFYREQS function but
provided an incorrect combination of KeyUsage values.
For RSA
key types, if you specify the KeyUsage through keywords or PKI Services
web page dialogs, the KeyUsages CERTSIGN, KEYCERTSIGN, or CRLSIGN
cannot be specified in combination with either HANDSHAKE, KEYENCIPHERMENT,
KEYENCIPH, KEYENCRYPT, DATAENCIPHERMENT, DATAENCIPH, or DATAENCRYPT.
If you specify the KeyUsage through KeyUsage flags in a PKCS #10 certificate
request, KEYCERTSIGN or CRLSIGN cannot be specified in combination
with either KEYENCIPHERMENT or DATAENCIPHERMENT.
For ECC key
types, if you specify the KeyUsage through keywords or PKI Services
web page dialogs, the KeyUsages KEYENCIPHERMENT, KEYENCIPH, KEYENCRYPT,
DATAENCIPHERMENT, DATAENCIPH, or DATAENCRYPT cannot be specified.
The KeyUsages CERTSIGN, KEYCERTSIGN, or CRLSIGN cannot be specified
in combination with KEYAGREE. If you specify the KeyUsage through
KeyUsage flags in a PKCS #10 certificate request, KEYCERTSIGN or CRLSIGN
cannot be specified in combination with KEYAGREEMENT.

System action
R_PKIServ processing ends. RACF® prevents the request from completing.

User response
Select a different KeyUsage, generate a new PKCS
#10 certificate, if applicable, or contact your system programmer
or web page administrator.

Application Programmer Response
Modify
the application invoking the R_PKIServ callable service to provide
different KeyUsage values.

Web Page Administrator Response
If R_PKIServ
is being invoked from the PKI Services CGIs, modify the certificate
template definition in the pkiserv.tmpl file to provide different
KeyUsage values in the <CONSTANT> section in the PKI templates.