Renewing an existing personal certificate on UNIX, Linux, and Windows

We can renew a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands.

If we have a requirement to use larger key sizes for the personal certificates, we cannot renew an existing certificate. We must replace your existing key by following the steps described in Requesting a personal certificate on UNIX, Linux, and Windows to create a new certificate request that uses the key sizes you require.

A personal certificate has an expiry date, after which the certificate can no longer be used. This task explains how to renew an existing personal certificate before it expires.

Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows

Use the strmqikm user interface

About this task

strmqikm does not provide a FIPS-compliant option. For to manage TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

Procedure

Complete the following steps to apply for a personal certificate, by using the strmqikm user interface:

Start the user interface by using the strmqikm command on UNIX, Linux, and Windows.
From the Key Database File menu, click Open. The Open window opens.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file from which we want to generate the request; for example, key.kdb.
Click Open. The Password Prompt window opens.
Type the password you set when you created the key database and click OK. The name of our key database file is shown in the File Name field.
Select Personal Certificates from the drop down selection menu, and select the certificate from the list that we want to renew.
Click the Re-create Request... button. A window opens for you to enter the file name and file location information.
In the file name field, either accept the default certreq.arm, or type a new value, including the full file path.
Click OK. The certificate request is stored in the file you selected in step 9.
Request the new personal certificate either by sending the file to a certificate authority (CA), or by copying the file into the request form on the website for the CA.

Use the command line

Procedure

Use the following commands to request a personal certificate by using either the runmqckm or runmqakm command:

Use runmqckm on UNIX, Linux, and Windows systems:

runmqckm -certreq -recreate -db filename -pw 
password -label label
-target filename

Use runmqakm:

runmqakm -certreq -recreate -db filename -pw 
password -label label
-target filename

where:

-db filename: Specifies the fully qualified file name of a CMS key database.
-pw password: Specifies the password for the CMS key database.
-target filename: Specifies the file name for the certificate request.

What to do next

Once you have received the signed personal certificate from the certificate authority, we can add it to your key database using the steps described in Receive personal certificates into a key repository on UNIX, Linux, and Windows.