+

Search Tips | Advanced Search

Extracting a CA certificate from a key repository on UNIX, Linux, and Windows

Follow this procedure to extract a CA certificate.


Use strmqiqm

For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. strmqiqm (iKeyman) does not provide a FIPS-compliant option.

Perform the following steps on the machine from which we want to extract the CA certificate:

  1. Start the GUI using the strmqikm command..
  2. From the Key Database File menu, click Open. The Open window opens.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file from which we want to extract, for example key.kdb.
  6. Click Open. The Password Prompt window opens.
  7. Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
  8. In the Key database content field, select Signer Certificates and select the certificate we want to extract.
  9. Click Extract. The Extract a Certificate to a File window opens.
  10. Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
  11. Type the certificate file name and location where we want to store the certificate, or click Browse to select the name and location.
  12. Click OK. The certificate is written to the file you specified.


Use the command line

Use the following commands to extract a CA certificate using runmqckm:

  • On UNIX, Linux, and Windows:
    runmqckm -cert -extract -db filename -pw password -label label -target filename
             -format ascii
    

where:

-db filename is the fully qualified path name of a CMS key database.
-pw password is the password for the CMS key database.
-label label is the label attached to the certificate.
-target filename is the name of the destination file.
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
-fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows

Last updated: 2020-10-04