Receiving personal certificates into a key repository

Receiving personal certificates into a key repository

After the CA sends you a new personal certificate, you add it to the key database file from which you generated the new certificate request . If the CA sends the certificate as part of an e-mail message, copy the certificate into a separate file.
Ensure that the certificate file to be imported has write permission for the current user, and then use the following procedure for either a queue manager or a WebSphere MQ client to receive a personal certificate into the key database file:

Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file to which you want to add the certificate, for example key.kdb.
Click Open, and then click OK. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field. Select the Personal Certificates view.
Click Receive. The Receive Certificate from a File window displays.
Select the Data type of the new personal certificate, for example Base64–encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
Click OK. If you already have a personal certificate in your key database, a window appears, asking if you want to set the key you are adding as the default key in the database.
Click Yes or No. The Enter a Label window displays.
Click OK. The Personal Certificates field shows the label of the new personal certificate you added.

Use the following commands to add a personal certificate to a key database file using IKEYCMD or GSKCapiCmd:
On UNIX:
gsk7cmd -cert -receive -file filename -db filename -pw password  
        -format ascii 
On Windows:
runmqckm -cert -receive -file filename -db filename -pw password  
        -format ascii 
Using GSKCapiCmd:
gsk7capicmd -cert -receive -file filename -db filename -pw password -fips  
         
where:

-file filename is the fully qualified file name of the file containing the personal certificate.
-db filename is the fully qualified file name of a CMS key database.
-pw password is the password for the CMS key database.
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
-fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.

If you are using cryptographic hardware, refer to Importing a personal certificate to your PKCS #11 hardware.

Parent topic:
Working with the Secure Sockets Layer (SSL) on UNIX and Windows systems

sy12280_

-file filename	is the fully qualified file name of the file containing the personal certificate.
-db filename	is the fully qualified file name of a CMS key database.
-pw password	is the password for the CMS key database.
-format ascii	is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
-fips	specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.