After an exported digital certificate public keystore and the respective signing certificate authority was added to Top Secret, an error is occurring trying to load the keystore with the EKM (tape Encryption Key Manager) application.

PUBLIC keystore digital certificate: ekmcert
Signing certificate authority: certca
RING name: ekmring

The following error message is received during EKM initialization:

"The private key of ekmcert is not available or no authority to access the private key."

If the PUBLIC keystore (emkcert) is removed from the ring, EKM will initialize.

The certificates were added to the keyring via:

TSS ADD(EKMSERV) KEYRING(ekmring) RINGDATA(EKMSERV,ekmcert) USAGE(PERSONAL)
TSS ADD(EKMSERV) KEYRING(ekmring) RINGDATA(CERTAUTH,certca) USAGE(CERTAUTH)

Both certificates need to be defined with USAGE(CERTAUTH) on the keyring via:

TSS ADD(EKMSERV) KEYRING(ekmring) RINGDATA(EKMSERV,ekmcert) USAGE(CERTAUTH)
TSS ADD(EKMSERV) KEYRING(ekmring) RINGDATA(CERTAUTH,certca) USAGE(CERTAUTH)