Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository

Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository

If the certificate that you want to add is in a certificate chain, you must also add all the certificates that are above it in the chain. You must add the certificates in strictly descending order starting from the root, followed by the CA certificate immediately below it in the chain, and so on.
Perform the following steps on the machine on which you want to add the CA certificate:

Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file to which you want to add the certificate, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
In the Key database content field, select Signer Certificates and select the certificate you want to add.
Click Add. The Add CA's Certificate from a File window displays.
Select the Data type of the certificate you transferred, for example Base64-encoded ASCII data for a file with the .arm extension.
Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
Click OK. The Enter a Label window displays.
In the Enter a Label window, type the name of the certificate.
Click OK. The certificate is added to the key database.

Use the following commands to add a CA certificate using IKEYCMD or GSKCapiCmd:
On UNIX:
gsk7cmd -cert -add -db filename -pw password -label label -file filename
        -format ascii
On Windows:
runmqckm -cert -add -db filename -pw password -label label -file filename
        -format ascii
Using GSKCapiCmd:
gsk7capicmd -cert -add -db filename -pw password -label label -file filename
        -format ascii -fips
where:

-db filename is the fully qualified path name of the CMS key database.
-pw password is the password for the CMS key database.
-label label is the label attached to the certificate.
-file filename is the name of the file containing the certificate.
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
-fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.

Parent topic:
Transferring certificates

sy12330_

-db filename	is the fully qualified path name of the CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the label attached to the certificate.
-file filename	is the name of the file containing the certificate.
-format ascii	is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
-fips	specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.