Exporting a personal certificate from a key repository on UNIX, Linux, and Windows

Exporting a personal certificate from a key repository on UNIX, Linux, and Windows

Follow this procedure to exporting a personal certificate.

Use strmqiqm

For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. strmqikm (iKeyman) does not provide a FIPS-compliant option.

Perform the following steps on the machine from which we want to export the personal certificate:

Start the GUI using the strmqikm command (on Windows UNIX and Linux ).
From the Key Database File menu, click Open. The Open window opens.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file from which we want to export the certificate, for example key.kdb.
Click Open. The Password Prompt window opens.
Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
In the Key database content field, select Personal Certificates and select the certificate we want to export.
Click Export/Import. The Export/Import key window opens.
Select Export Key.
Select the Key file type of the certificate we want to export, for example PKCS12.
Type the file name and location to which we want to export the certificate, or click Browse to select the name and location.
Click OK. The Password Prompt window opens. Note that when you export (rather than extract) a certificate, both the public and private parts of the certificate are included. This is why the exported file is protected by a password. When you extract a certificate, only the public part of the certificate is included, so a password is not required.
Type a password in the Password field, and type it again in the Confirm Password field.
Click OK. The certificate is exported to the file you specified.

Use the command line
Use the following commands to export a personal certificate using runmqckm:
On UNIX, Linux, and Windows:
runmqckm -cert -export -db filename -pw password -label label -type cms
        -target filename -target_pw password -target_type pkcs12
where:

-db filename is the fully qualified path name of the CMS key database.

-fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

-type cms is the type of the database.

-target filename is the fully qualified path name of the destination file.

-target_pw password is the password for encrypting the certificate.

-target_type pkcs12 is the type of the certificate.

Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows

Last updated: 2020-10-04

-db filename	is the fully qualified path name of the CMS key database.
-fips	specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-pw password	is the password for the CMS key database.
-label label	is the label attached to the certificate.
-type cms	is the type of the database.
-target filename	is the fully qualified path name of the destination file.
-target_pw password	is the password for encrypting the certificate.
-target_type pkcs12	is the type of the certificate.