Extracting the public part of a self-signed certificate from a key repository on UNIX, Linux, and Windows
Follow this procedure to extract the public part of a self-signed certificate.
Use iKeyman
If you need to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. iKeyman does not provide a FIPS-compliant option.
Perform the following steps on the machine from which you want to extract the public part of a self-signed certificate:
- Start the iKeyman GUI using the strmqikm command (on UNIX, Linux , and Windows ).
- From the Key Database File menu, click Open. The Open window opens.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file from which you want to extract the certificate, for example key.kdb.
- Click OK. The Password Prompt window opens.
- Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
- In the Key database content field, select Personal Certificates and select the certificate.
- Click Extract certificate. The Extract a Certificate to a File window opens.
- Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
- Type the certificate file name and location where you want to store the certificate, or click Browse to select the name and location.
- Click OK. The certificate is written to the file you specified. Note that when you extract (rather than export) a certificate, only the public part of the certificate is included, so a password is not required.
Use the command line
Use the following commands to extract the public part of a self-signed certificate using runmqckm or runmqakm:where:
- On UNIX, Linux, and Windows:
runmqckm -cert -extract -db filename -pw password -label label -target filename -format ascii- Use runmqakm:
runmqakm -cert -extract -db filename -pw password -label label -target filename -format ascii -fips
-db filename is the fully qualified path name of a CMS key database. -pw password is the password for the CMS key database. -label label is the label attached to the certificate. -target filename is the name of the destination file. -format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii. -fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.