Importing from a Microsoft .pfx file

 

This section describes how to import from a Microsoft .pfx file using iKeyman. We cannot use GSKCapiCmd to import a .pfx file.

A .pfx file can contain two certificates relating to the same key. One is a personal or site certificate (containing both a public and private key). The other is a CA (signer) certificate (containing only a public key). These certificates cannot coexist in the same CMS key database file, so only one of them can be imported. Also, the “friendly name” or label is attached to only the signer certificate.

The personal certificate is identified by a system generated Unique User Identifier (UUID). This section shows the import of a personal certificate from a pfx file while labeling it with the friendly name previously assigned to the CA (signer) certificate. The issuing CA (signer) certificates should already be added to the target key database. Note that PKCS#12 files should be considered temporary and deleted after use.

Follow these steps to import a personal certificate from a source pfx key database:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows). The IBM Key Management window is displayed.

  2. From the Key Database File menu, click Open. The Open window is displayed.

  3. Select a key database type of PKCS12.

  4. You are recommended to take a backup of the pfx database before performing this step. Select the pfx key database that you want to import. Click Open. The Password Prompt window is displayed.

  5. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected pfx key database file, indicating that the file is open and ready.

  6. Select Signer Certificates from the list. The “friendly name” of the required certificate is displayed as a label in the Signer Certificates panel.

  7. Select the label entry and click Delete to remove the signer certificate. The Confirm window is displayed.

  8. Click Yes. The selected label is no longer displayed in the Signer Certificates panel.

  9. Repeat steps 6, 7, and 8 for all the signer certificates.

  10. From the Key Database File menu, click Open. The Open window is displayed.

  11. Select the target key CMS database which the pfx file is being imported into. Click Open. The Password Prompt window is displayed.

  12. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected key database file, indicating that the file is open and ready.

  13. Select Personal Certificates from the list.

  14. Click Import to import keys from the pfx key database. The Import Key window is displayed.

    • Click Export/Import key. The Export/Import key window is displayed.

    • Select Import from Choose Action Type

  15. Select the PKCS12 file.

  16. Enter the name of the pfx file as used in Step 4. Click OK. The Password Prompt window is displayed.

  17. Specify the same password that you specified when you deleted the signer certificate. Click OK.

  18. The Change Labels window is displayed (as there should be only a single certificate available for import). The label of the certificate should be a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

  19. To change the label select the UUID from the Select a label to change: panel. The label will be replicated into the Enter a new label: field. Replace the label text with that of the friendly name that was deleted in Step 7 and click Apply. The friendly name must be in the form ibmwebspheremq, followed by the queue manager name or the WebSphere MQ client user logon ID in lower case.

  20. The text in the Enter a new label: field is replicated back into the Select a label to change: panel, replacing the originally selected label and so relabelling the personal certificate with the required friendly name.

  21. Click OK. The Change Labels window is now removed and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates panels updated with the correctly labeled personal certificate.

  22. The pfx personal certificate is now imported to the (target) database.

It is not possible to change a certificate label using IKEYCMD or GSKCapiCmd.

 

Parent topic:

Transferring certificates


sy12360_