Confirmed that there is no TSS command that will extract the private key and remove it from the security but keep the public key.
There IS a TSS command to re-connect the public and private key once the private key has been transferred to ICSF using IBM's KEYXFER tool.
Level 2 explained that since the private key is in ICSF you cannot TSS EXPORT the public and private key in PKCS12 format as I thought. You need to use the KEYXFER tool to transfer the private and use the TSS EXPORT command to transfer the public key.
Then, you recombine them to the transferred system as long as they are using the same ICSF PKA master key. You dont need to share the security file or share the same ICSF PKDS.
IBM documents the procedures to do this at:
Here are the RACF commands converted from the above IBM documentation to TSS.
Perform the following steps to generate a RACF certificate and its ICSF public/private key pair on system A (the source system), and migrate them to system B (the target system).
1.Generate the certificate and its public/private key pair on system A.
RACDCERT ID(SYSMAN) GENCERT SUBJECTSDN(CN('Secure Key'))
WITHLABEL('SECURE.KEY') PKDS(*) SIZE(2048)
TSS GENCERT(SYSMAN) DIGICERT(SECREKEY) SUBJECTN('CN="Secure Key"') LABLCERT('SECURE.KEY') LABLPKDS(*) KEYSIZE(2048) ICSF
2.Extract the certificate from RACF and store it in an MVS™ data set called 'MY.CERT'. (The ICSF private key is not extracted in this step.)
RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)
TSS EXPORT(SYSMAN) DIGICERT(SECREKEY) DSN(MY.CERT) FORMAT(CERTDER)
3.Extract the encrypted private key from ICSF using a non-RACF utility, such as KEYXFER.
4.Transmit both the key and certificate data sets to system B. This step completes your work on system A.
5.Receive both the key and certificate data sets on system B.
6.Add the encrypted private key to ICSF using a non-RACF utility, such as KEYXFER, specifying the desired PKDS label for the key on system B, 'MIGRATED.KEY'.
7.Add the certificate to RACF using the same RACF and PKDS label you used in Step 6, 'MIGRATED.KEY'.
RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PKDS(*)
TSS ADD(SYSMAN) DIGICERT(SECREKEU) LABLCERT('MIGRATED.KEY') DCDSN(MY.CERT) LABLPKDS(*)
8.List the migrated certificate to verify that RACF found the private key and assigned the private key to the certificate.
RACDCERT ID(SYSMAN) LIST(LABEL('MIGRATED.KEY'))
TSS LIST(SYSMAND) DIGICERT(SECREKEY)
Result: You should see similar information at the end of the certificate listing:Key Type: RSA
Key Size: 2048
Private Key: YES
PKDS Label: MIGRATED.KEY
*** No rings associated ***