Adding a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows

Follow this procedure to add a CA certificate or the public part of a self-signed certificate to the key repository.

If the certificate that we want to add is in a certificate chain, we must also add all the certificates that are above it in the chain. We must add the certificates in strictly descending order starting from the root, followed by the CA certificate immediately below it in the chain, and so on.

Where the following instructions refer to a CA certificate, they also apply to the public part of a self-signed certificate.

Note: We must ensure that the certificate is in ASCII (UTF-8) or binary (DER) encoding, because IBM Global Secure Toolkit (GSKit) does not support certificates with other types of encoding.


Use strmqiqm

For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. strmqiqm does not provide a FIPS-compliant option.

Perform the following steps on the machine on which we want to add the CA certificate:

  1. Start the GUI using the strmqikm command (on UNIX, Linux and Windows systems).
  2. From the Key Database File menu, click Open. The Open window opens.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which we want to add the certificate, for example key.kdb.
  6. Click OK. The Password Prompt window opens.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Signer Certificates.
  9. Click Add. The Add CA's Certificate from a File window opens.
  10. Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
  11. Click OK. The Enter a Label window opens.
  12. In the Enter a Label window, type the name of the certificate.
  13. Click OK. The certificate is added to the key database.


Use the command line

To add a CA certificate to a key database, use either of the following commands:

  • Use runmqckm: 
    runmqckm -cert -add -db filename -pw password -label label
         -file filename -format ascii
  • Use runmqakm: 
    runmqakm -cert -add -db filename -pw password -label label
         -file filename -format ascii -fips

where:

    -db filename
    Specifies the fully qualified file name of the CMS key database.

    -pw password
    Specifies the password for the CMS key database.

    -label label
    Specifies the label attached to the certificate.

    -file filename
    Specifies the name of the file containing the certificate.

    -format ascii
    Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

    -fips
    Specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.

Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows