The EZD1287I error can be caused by one of the required certificates does not have the 'TRUST' attribute.
The trust status of the first CA certificate added takes the value specified on the Insert command. The other CA certificates that are added take the trust value of the signing certificate. If a certificate is expired or it’s validity period is not completely within the validity period of it’s signing certificate, or if the signing certificate of the certificate is not in the PKCS 7 or PKCS 12 package or not in CA ACF2, then the certificate is added with a trust status of NOTRUST. If the CA certificate is already known to CA ACF2, the certificate retains it’s trust status.