+

Search Tips | Advanced Search

Importing a personal certificate into a key repository on UNIX, Linux, and Windows

Follow this procedure to import a personal certificate

Before importing a personal certificate in PKCS #12 format into the key database file, you must first add the full valid chain of issuing CA certificates to the key database file (see Add a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows ).

PKCS #12 files should be considered temporary and deleted after use.


Use iKeyman

If you need to manage TLS certificates in a way that is FIPS-compliant, use the runmqakm command. iKeyman does not provide a FIPS-compliant option.

Perform the following steps on the machine to which you want to import the personal certificate:

  1. Start the iKeyman GUI using the strmqikm command .
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Personal Certificates.
  9. If there are certificates in the Personal Certificates view, follow these steps:
    1. Click Export/Import. The Export/Import key window is displayed.
    2. Select Import Key.
  10. If there are no certificates in the Personal Certificates view, click Import.
  11. Select the Key file type of the certificate you want to import, for example PKCS12.
  12. Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
  13. Click OK. The Password Prompt window displays.
  14. In the Password field, type the password used when the certificate was exported.
  15. Click OK. The Change Labels window is displayed. We can change the labels of certificates being imported if, for example, a certificate with the same label already exists in the target key database. Changing certificate labels has no effect on certificate chain validation. To associate the certificate with a particular queue manager or IBM MQ MQI client, IBM MQ uses either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.
  16. To change a label, select the required label from the Select a label to change list. The label is copied into the Enter a new label entry field. Replace the label text with that of the new label and click Apply.
  17. The text in the Enter a new label entry field is copied back into the Select a label to change field, replacing the originally selected label and so relabelling the corresponding certificate.
  18. When we have changed all the labels that needed to be changed, click OK. The Change Labels window closes, and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates fields updated with the correctly labeled certificates.
  19. The certificate is imported to the target key database.


Use the command line

To import a personal certificate using runmqckm, use the following command:

where:

iKeycmd does not provide a command to change certificate labels directly. Use the following steps to change a certificate label:
  1. Export the certificate to a PKCS #12 file using the -cert -export command. Specify the existing certificate label for the -label option.
  2. Remove the existing copy of the certificate from the original key database using the -cert -delete command.
  3. Import the certificate from the PKCS #12 file using the -cert -import command. Specify the old label for the -label option and the required new label for the -new_label option. The certificate will be imported back into the key database with the required label.