Trying to GENCERT a CSR using the following job gets an error listed below:

GENCERT ABCCHIN.CERT LABEL(ABCCHIN.LABEL) -   
        SUBJ(CN='ABCDC.XX.XX.COM' - 
        O='The ABC Bank'  -               
        OU='XX'  -                                     
        L='Newyork'  -                                 
        S='Newyork City'  -                                 
        C='CA') -                                      
        EXPIRE(12/31/30) -                             
        PCICC SIZE(2048) -                            
        PKDSLBL(IRR.DIGTCERT.ABCCHIN.CERT)

CAS20E0E ICSF CSNDPKX service error - RC=8 RSN=16000    

Resource violation log ACFRPTRV gets the following violation:

J JOB00001      USER01  XXX00262 SYS1 ACF9CFAT NO-RULE     -     DIRECTRY READ 
21.145 05/25 10.02    ABCXXXMQ USER01  SEC ENG HOST LVL 3     0   0  20   0  16
SAF RESOURCE CLASS CSFSERV                                                                                                                                  

RESOURCE NAME: CSFPKX

Release : 16.0

Component : CA ACF2 for z/OS

ACF2 PTF SO16122 introduces TLS 1.3 support. The key pairs generated for TLS 1.3 need to be in RSA-AESC format. When building the key pair in RSA-AESC format, ACF2 uses the CSNDPKX routine to obtain it, which requires a new validation for the resource CSFPKX(for PKA Public Key Extract) in the CSFSERV resource class.

To add the access rule for new resource CSFPKX validation for the resource class CSFSERV, issue the following commands: 

ACF
SET RESOURCE(CSD)
RECKEY CSFPKX add( UID(ABCD) SERVICE(READ) ALLOW)

The resource check for resource CSFPKX under resource class CSFSERV. Verify the particular references for ICSF configuration settings in the system using following links. 

Reference IBM documentation for Setting up profiles in the CSFSERV general resource class and Resource names for CCA and ICSF entry points.