Extracting a CA certificate from a key repository on UNIX, Linux, and Windows
Follow this procedure to extract a CA certificate.
Use strmqiqm
For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. strmqiqm (iKeyman) does not provide a FIPS-compliant option.
Perform the following steps on the machine from which we want to extract the CA certificate:
- Start the GUI using the strmqikm command..
- From the Key Database File menu, click Open. The Open window opens.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file from which we want to extract, for example key.kdb.
- Click Open. The Password Prompt window opens.
- Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
- In the Key database content field, select Signer Certificates and select the certificate we want to extract.
- Click Extract. The Extract a Certificate to a File window opens.
- Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
- Type the certificate file name and location where we want to store the certificate, or click Browse to select the name and location.
- Click OK. The certificate is written to the file you specified.
Use the command line
Use the following commands to extract a CA certificate using runmqckm:
- On UNIX, Linux, and Windows:
runmqckm -cert -extract -db filename -pw password -label label -target filename -format asciiwhere:
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows
-db filename is the fully qualified path name of a CMS key database. -pw password is the password for the CMS key database. -label label is the label attached to the certificate. -target filename is the name of the destination file. -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii. -fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.