When attempting to GENCERT a digital certificate with PCICC specified, the following error is seen and the certificate fails to be generated:                                                   

CAS20E0E ICSF CSNDPKG service error - RC=12 RSN=11016                

Release : 16.0

Component : ACF2 for z/OS

z/OS 2.4 or higher

The return and reason codes indicate an issue with the master key in ICSF, stating "The master key is not in a valid state. Contact your ICSF administrator."

z/OS V2R4 introduced a requirement of an ECC master key: RACF RACDCERT TLS1.3 RSAPSS support

Missing this ECC master key results in the rc=12, rsn=11016 from the CSNDPKG service.

Note that the private keys already installed in the PKDS by an older z/OS release will remain in place but won't be usable unless re-encrypted with the ECC master key.

RACF RACDCERT TLS1.3 RSAPSS support
Reason codes for return code C (12)