The NISTECC keyword is used to generate a key pair using the National Institute of Standards and Technology (NIST) algorithm instead of the RSA algorithm.

When using the GENCERT command with the NISTECC keyword : 

TSS GENCERT(acid) DIGICERT(certname) SUBJECTN('CN=”common-name O="organizational-name" T=""title" OU="organizational-unit-name1" L="locality" ST="state -- or -- province" C="country"') NISTECC LABLCERT('label_name')

the command fails with the message:

TSS0301I GENCERT  FUNCTION FAILED, RETURN CODE =  8
CAS20E1E ICSF is not active. Certificate can not be generated

However, the ICSF is active.

Top Secret 16.0

ICSF RELEASE FMID=HCR77D1.

In the log of the ICSF task there is the following message:

 00.00.00 STC12345  CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.

When using the NISTECC Keyword the key is generated using ICSF PKCS #11 functions so the ICSF subsystem must be operational and configured for PKCS #11 operation.

Configure the ICSF subsystem for PKCS #11 operation