Is there a Top Secret command to export the private key if it is stored in ICSF instead of the security file?

There is not a Top Secret command that will extract the private key and remove it from the security file but keep the public key.

There is a Top Secret command to re-connect the public and private key once the private key has been transferred to ICSF using IBM's KEYXFER tool. Since the private key is in ICSF, you cannot TSS EXPORT the public and private key in PKCS12 format. You need to use the KEYXFER tool to transfer the private and use the TSS EXPORT command to transfer the public key. Then, you can recombine them to the transferred system as long as they are using the same ICSF PKA master key. You don't need to share the security file or share the same ICSF PKDS.

IBM documents the Steps for migrating a certificate and its ICSF private key in the PKDS.

Here are the RACF commands converted from the above IBM documentation to TSS.

Perform the following steps to generate a RACF certificate and its ICSF public/private key pair on system A (the source system), and migrate them to system B (the target system).

1. Generate the certificate and its public/private key pair on system A.

RACDCERT ID(SYSMAN) GENCERT SUBJECTSDN(CN('Secure Key'))
WITHLABEL('SECURE.KEY') PKDS(*) SIZE(2048)

TSS GENCERT(SYSMAN) DIGICERT(SECREKEY) SUBJECTN('CN="Secure Key"') LABLCERT('SECURE.KEY') LABLPKDS(*) KEYSIZE(2048) ICSF
______________________________________________________________________

2. Extract the certificate from RACF and store it in an MVS™ data set called 'MY.CERT'. (The ICSF private key is not extracted in this step.)

RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)

TSS EXPORT(SYSMAN) DIGICERT(SECREKEY) DSN(MY.CERT) FORMAT(CERTDER)
______________________________________________________________________

3. Extract the encrypted private key from ICSF using a non-RACF utility, such as KEYXFER. Use the WRITE_PKDS function of KEYXFER.
______________________________________________________________________

4. Transmit both the key and certificate data sets to system B. This step completes your work on system A.
______________________________________________________________________

5. Receive both the key and certificate data sets on system B.
______________________________________________________________________

6. Add the encrypted private key to ICSF using a non-RACF utility, such as KEYXFER, specifying the desired PKDS label for the key on system B, 'MIGRATED.KEY'. Use the READ_PKDS function of KEYXFER.
______________________________________________________________________

7. Add the certificate to RACF using the same RACF and PKDS label you used in Step 6, 'MIGRATED.KEY'.

RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PKDS(*)

TSS ADD(SYSMAN) DIGICERT(SECREKEU) LABLCERT('MIGRATED.KEY') DCDSN(MY.CERT) LABLPKDS(*)
______________________________________________________________________

8. List the migrated certificate to verify that RACF found the private key and assigned the private key to the certificate.

RACDCERT ID(SYSMAN) LIST(LABEL('MIGRATED.KEY'))

TSS LIST(SYSMAND) DIGICERT(SECREKEY)

Result: You should see similar information at the end of the certificate listing:
Key Type: RSA
Key Size: 2048
Private Key: YES
PKDS Label: MIGRATED.KEY
Ring Associations:
*** No rings associated ***