That won't work. KEYXFER only works if the master key is the same on both sides.
Unfortunately, there is no easy way to do what the original poster is trying to do. There is really only one option: the two systems must somehow have the same master key(s). You can either 1. change LPAR P to be the same as LPAR T (reenciphering the PKDS on LPAR P) and then transfer the private key from T to P 2. change LPAR T to be the same as LPAR P (reenciphering the PKDS on LPAR T) and then transfer the private key from T to P Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Jousma, David Sent: Thursday, January 29, 2026 4:06 PM To: [email protected] Subject: [EXTERNAL] Re: Moving a PKDS Key Have a look at IBMs KEYXFER utility https://public.dhe.ibm.com/s390/zos/tools/keyxfer/readme.txt _______________________________ Dave Jousma Vice President | Director, Platform Engineering Fifth Third Bank | 1830 East Paris Ave, SE | Grand Rapids, MI 49546 From: IBM Mainframe Discussion List <[email protected]> on behalf of Roberto Halais <[email protected]> Date: Thursday, January 29, 2026 at 2:04 PM To: [email protected] <[email protected]> Subject: Moving a PKDS Key CAUTION EXTERNAL EMAIL This message came from outside your organization. DO NOT open attachments or click on links from unknown senders or unexpected emails. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MwwqYLOC6b6whF7V!o1OEdzBhQWvOOYx3wDIiXPhGY50wLDUtxLUDEgGYBkb1d9qzD_pxRXougU7n1Dy_bQ9EiupwYSXobFf9se4PUFz7Pp521U8lOXf4wc5G9R9Tm-epLD_py9OoBfEy5A$ > Listers: We are at z/OS v3.1 and use Broadcom's Top Secret as our security application. We generated a Certificate Signing Request (CSR) in lpar T and it's private key was saved in lpar T PKDS. We sent the CSR to a CA and got the certificate back. We imported the certificate in lpar T and tested it and it worked fine. Now we want to install the certificate in lpar P which has a different PKDS and Master Key. How can we move the certificate's private key from lpar T PKDS to lpar P PKDS as both lpars have different Master Keys. Any help would be appreciated. Roberto ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
