Security

Add personal certificates to a key repository

After the CA sends you a new personal certificate, you add it to the key database file from which you generated the request. If the CA sends the certificate as part of an e-mail message, copy the certificate into a separate file.
Use the following procedure for either a queue manager or a WebSphere MQ client to receive a personal certificate into the key database file:

Execute the gsk6ikm command to start the iKeyman GUI.
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file to which you want to add the certificate, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of the key database file displays in the File Name field and Personal Certificates is selected.
Click Receive. The Receive Certificate from a File window displays.
Select the Data type of the new personal certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
Click OK. If you already have a personal certificate in the key database, a window appears, asking if you want to set the key you are adding as the default key in the database.
Click Yes or No. The Enter a Label window displays.
Type a label, for example the label you used when you requested the personal certificate. Note that the label must be in the correct WebSphere MQ format:

For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or,
For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

Click OK. The Personal Certificates field shows the label of the new personal certificate you added.

Use the following command to add a personal certificate to a key database file using IKEYCMD:
gsk6cmd -cert -receive -file filename -db filename -pw password -label label 
        -format ascii 
where:

-file filename is the fully qualified path name of the file containing the personal certificate.

-db filename is the fully qualified path name of a CMS key database.

-pw password is the password for the CMS key database.

-label label is the label attached to the certificate.

-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

If you are using cryptographic hardware, refer to Importing a personal certificate to the PKCS #11 hardware.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

-file filename	is the fully qualified path name of the file containing the personal certificate.
-db filename	is the fully qualified path name of a CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the label attached to the certificate.
-format ascii	is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.