Importing a personal certificate into a key repository

 

Before importing a personal certificate in PKCS #12 format into the key database file, first add the full valid chain of issuing CA certificates to the key database file (see Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository).

PKCS #12 files should be considered temporary and deleted after use.

Perform the following steps on the machine to which you want to import the personal certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).

  2. From the Key Database File menu, click Open. The Open window displays.

  3. Click Key database type and select CMS (Certificate Management System).

  4. Click Browse to navigate to the directory that contains the key database files.

  5. Select the key database file to which you want to add the certificate, for example key.kdb.

  6. Click Open. The Password Prompt window displays.

  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.

  8. In the Key database content field, select Personal Certificates.

  9. Click Export/Import. The Export/Import key window is displayed.

  10. Select Import Key.

  11. Select the Key file type of the certificate you want to import, for example PKCS12.

  12. Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.

  13. Click OK. The Password Prompt window displays.

  14. In the Password field, type the password used when the certificate was exported.

  15. Click OK. The Select from Key Label List window is displayed.

  16. From the list of certificate labels displayed, select the ones that you want to import. Ensure that you include any CA (signer) certificates that might be necessary to form a full chain for any personal certificates you are importing. You do not need to include any that are already in the target key database.

  17. Click OK. The Change Labels window is displayed. This window allows the labels of certificates being imported to be changed if, for example, a certificate with the same label already exists in the target key database. Changing certificate labels has no effect on certificate chain validation. This can be used to change the personal certificate label to that required by WebSphere MQ in order to associate the certificate with the particular queue manager or client (ibmwebspheremqqm1 for example).

  18. To change a label, select the required label from the Select a label to change: list. The label is copied into the Enter a new label: entry field. Replace the label text with that of the new label and click Apply.

  19. The text in the Enter a new label: entry field is copied back into the Select a label to change: field, replacing the originally selected label and so relabelling the corresponding certificate.

  20. When you have changed all the labels that needed to be changed, click OK. The Change Labels window closes, and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates fields updated with the correctly labeled certificates.

  21. The certificate is imported to the target key database.

To import a personal certificate using IKEYCMD, use the following commands:

To import a personal certificate using GSKCapiCmd, use the following command:

gsk7capicmd -cert -import -file filename -pw password  -type pkcs12 -target filename 
-target_pw password -target_type cms -label label -fips

where:

-file filename is the fully qualified file name of the file containing the PKCS #12 certificate.
-pw password is the password for the PKCS #12 certificate.
-type pkcs12 is the type of the file.
-target filename is the name of the destination CMS key database.
-target_pw password is the password for the CMS key database.
-target_type cms is the type of the database specified by -target
-label label is the label of the certificate to import from the source key database.
-new_label label is the label that the certificate will be assigned in the target database. If you omit -new_label option, the default is to use the same as the -label option.
-fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.

IKEYCMD does not provide a command to change certificate labels directly. Use the following steps to change a certificate label:

  1. Export the certificate to a PKCS #12 file using the -cert -export command. Specify the existing certificate label for the -label option.

  2. Remove the existing copy of the certificate from the original key database using the -cert -delete command.

  3. Import the certificate from the PKCS #12 file using the -cert -import command. Specify the old label for the -label option and the required new label for the -new_label option. The certificate will be imported back into the key database with the required label.

 

Parent topic:

Transferring certificates


sy12350_