Importing a personal certificate from a Microsoft.pfx file
Follow this procedure to import from a Microsoft.pfx file on UNIX, Linux, and Windows.
A .pfx file can contain two certificates relating to the same key. One is a personal or site certificate (containing both a public and private key). The other is a CA (signer) certificate (containing only a public key). These certificates cannot coexist in the same CMS key database file, so only one of them can be imported. Also, the "friendly name" or label is attached to only the signer certificate.
The personal certificate is identified by a system generated Unique User Identifier (UUID). This section shows the import of a personal certificate from a pfx file while labeling it with the friendly name previously assigned to the CA (signer) certificate. The issuing CA (signer) certificates should already be added to the target key database. Note that PKCS#12 files should be considered temporary and deleted after use.
Follow these steps to import a personal certificate from a source pfx key database:
- Start the GUI using the strmqikm command. The IBM Key Management window is displayed.
- From the Key Database File menu, click Open. The Open window is displayed.
- Select a key database type of PKCS12.
- You are recommended to take a backup of the pfx database before performing this step. Select the pfx key database that we want to import. Click Open. The Password Prompt window is displayed.
- Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected pfx key database file, indicating that the file is open and ready.
- Select Signer Certificates from the list. The "friendly name" of the required certificate is displayed as a label in the Signer Certificates panel.
- Select the label entry and click Delete to remove the signer certificate. The Confirm window is displayed.
- Click Yes. The selected label is no longer displayed in the Signer Certificates panel.
- Repeat steps 6, 7, and 8 for all the signer certificates.
- From the Key Database File menu, click Open. The Open window is displayed.
- Select the target key CMS database which the pfx file is being imported into. Click Open. The Password Prompt window is displayed.
- Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected key database file, indicating that the file is open and ready.
- Select Personal Certificates from the list.
- If there are certificates in the Personal Certificates view, follow these steps:
- Click Export/Import key. The Export/Import key window is displayed.
- Select Import from Choose Action Type.
- If there are no certificates in the Personal Certificates view, click Import.
- Select the PKCS12 file.
- Enter the name of the pfx file as used in Step 4. Click OK. The Password Prompt window is displayed.
- Specify the same password that you specified when you deleted the signer certificate. Click OK.
- The Change Labels window is displayed (as there should be only a single certificate available for import). The label of the certificate should be a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
- To change the label select the UUID from the Select a label to change: panel. The label will be replicated into the Enter a new label: field. Replace the label text with that of the friendly name that was deleted in Step 7 and click Apply. The friendly name must be either the value of the IBM MQ CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.
- Click OK. The Change Labels window is now removed and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates panels updated with the correctly labeled personal certificate.
- The pfx personal certificate is now imported to the (target) database.
It is not possible to change a certificate label using runmqckm or runmqakm.
Use the command line
To import a personal certificate using runmqckm on UNIX, Linux, and Windows, use the following command:runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename -target_pw password -target_type cms -label label -pfxTo import a personal certificate using runmqakm, use the following command:
runmqakm -cert -import -file filename -pw password -type pkcs12 -target filename -target_pw password -target_type cms -label label -fips -pfx
where:
-file filename | is the fully qualified file name of the file containing the PKCS #12 certificate. |
-pw password | is the password for the PKCS #12 certificate. |
-type pkcs12 | is the type of the file. |
-target filename | is the name of the destination CMS key database. |
-target_pw password | is the password for the CMS key database. |
-target_type cms | is the type of the database specified by -target |
-label label | is the label of the certificate to import from the source key database. |
-new_label label | is the label that the certificate will be assigned in the target database. If you omit -new_label option, the default is to use the same as the -label option. |
-fips | specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails. |
-pfx | indicates PFX file format. |
- Export the certificate to a PKCS #12 file using the -cert -export command. Specify the existing certificate label for the -label option.
- Remove the existing copy of the certificate from the original key database using the -cert -delete command.
- Import the certificate from the PKCS #12 file using the -cert -import command. Specify the old label for the -label option and the required new label for the -new_label option. The certificate will be imported back into the key database with the required label.
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows