When attempting to GENCERT a digital certificate with PCICC specified, the following error is seen and the certificate fails to be generated:
CAS20E0E ICSF CSNDPKG service error - RC=12 RSN=11016
Release : 16.0
Component : ACF2 for z/OS
z/OS 2.4 or higher
The return and reason codes indicate an issue with the master key in ICSF, stating "The master key is not in a valid state. Contact your ICSF administrator."
z/OS V2R4 introduced a requirement of an ECC master key:
Missing this ECC master key results in the rc=12, rsn=11016 from the CSNDPKG service.
Note that the private keys already installed in the PKDS by an older z/OS release will remain in place but won't be usable unless re-encrypted with the ECC master key.