Transferring certificates
This section tells you how to perform the following tasks:
Perform the following steps on the machine from which you want to extract
the CA certificate:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX(R)) or the strmqikm command (on Windows(R)).
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory
that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example key.kdb.
- Click Open. The Password Prompt window
displays.
- Type the password you set when you created the key database
and click OK. The name of your key database file displays
in the File Name field.
- In the Key database content field, select Signer Certificates and select the certificate you want to extract.
- Click Extract. The Extract a Certificate to a File
window displays.
- Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
- Type the certificate file name and location where you want to store the
certificate, or click Browse to select the name and
location.
- Click OK. The certificate is written to the file
you specified.
Use the following commands to extract a CA certificate using iKeycmd:
where:
-db filename |
is the fully qualified path name of a CMS key database. |
-pw password |
is the password for the CMS key database. |
-label label |
is the label attached to the certificate. |
-target filename |
is the name of the destination file. |
-format ascii |
is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data.
The default is ascii. |
Extracting the CA part of a self-signed certificate from a
key repository
Perform the following steps on the machine from which you want to extract
the CA part of a self-signed certificate:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory
that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example key.kdb.
- Click Open. The Password Prompt window
displays.
- Type the password you set when you created the key database
and click OK. The name of your key database file displays
in the File Name field.
- In the Key database content field, select Personal Certificates and select the certificate you want to extract.
- Click Extract certificate. The Extract a Certificate
to a File window displays.
- Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
- Type the certificate file name and location where you want to store the
certificate, or click Browse to select the name and
location.
- Click OK. The certificate is written to the file
you specified. Note that when you extract (rather than export)
a certificate, only the public part of the certificate is included, so a password
is not required.
Adding a CA certificate (or the CA part of a self-signed certificate)
into a key repository
If the certificate that you want to add is in a certificate chain,
you must also add all the certificates that are above it in the chain. You
must add the certificates in strictly descending order starting from the root,
followed by the CA certificate immediately below it in the chain, and so on.
Perform the following steps on the machine on which you want to add the
CA certificate:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory
that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example key.kdb.
- Click Open. The Password Prompt window
displays.
- Type the password you set when you created the key database
and click OK. The name of your key database file displays
in the File Name field.
- In the Key database content field, select Signer Certificates and select the certificate you want to add.
- Click Add. The Add CA's Certificate from a File
window displays.
- Select the Data type of the certificate you transferred,
for example Base64-encoded ASCII data for a file with
the .arm extension.
- Type the certificate file name and location where the certificate is stored,
or click Browse to select the name and location.
- Click OK. The Enter a Label window displays.
- In the Enter a Label window, type the name of the certificate.
- Click OK. The certificate is added to the key database.
Use the following commands to add a CA certificate using iKeycmd:
where:
-db filename |
is the fully qualified path name of the CMS key database. |
-pw password |
is the password for the CMS key database. |
-label label |
is the label attached to the certificate. |
-file filename |
is the name of the file containing the certificate. |
-format ascii |
is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data.
The default is ascii. |
Exporting a personal certificate from a key repository
Perform the following steps on the machine from which you want to export
the personal certificate:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory
that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example key.kdb.
- Click Open. The Password Prompt window
displays.
- Type the password you set when you created the key database
and click OK. The name of your key database file displays
in the File Name field.
- In the Key database content field, select Personal Certificates and select the certificate you want to export.
- Click Export/Import. The Export/Import key window
displays.
- Select Export Key.
- Select the Key file type of the certificate you
want to export, for example PKCS12.
- Type the file name and location to which you want to export the certificate,
or click Browse to select the name and location.
- Click OK. The Password Prompt window displays. Note that when you export (rather than extract) a certificate, both
the public and private parts of the certificate are included. This is why
the exported file is protected by a password. When you extract a certificate,
only the public part of the certificate is included, so a password is not
required.
- Type a password in the Password field, and type
it again in the Confirm Password field.
- Click OK. The certificate is exported to the file
you specified.
Use the following commands to export a personal certificate using iKeycmd:
- On UNIX:
gsk7cmd -cert -export -db filename -pw password -label label -type cms
-target filename -target_pw password -target_type pkcs12
- On Windows:
runmqckm -cert -export -db filename -pw password -label label -type cms
-target filename -target_pw password -target_type pkcs12
where:
-db filename |
is the fully qualified path name of the CMS key database. |
-pw password |
is the password for the CMS key database. |
-label label |
is the label attached to the certificate. |
-type cms |
is the type of the database. |
-target filename |
is the name of the destination file. |
-target_pw password |
is the password for encrypting the certificate. |
-target_type pkcs12 |
is the type of the certificate. |
Importing a personal certificate into a key repository
Before importing a personal certificate in PKCS #12 format
into the key database file, you must first add the full
valid chain of issuing CA certificates to the key database file (see Adding a CA certificate (or the CA part of a self-signed certificate)
into a key repository).
PKCS #12 files should be considered temporary and deleted
after use.
Note that you cannot import a personal certificate that has multiple
OU attributes.
Perform the following steps on the machine to which you want to import
the personal certificate:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory
that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example key.kdb.
- Click Open. The Password Prompt window
displays.
- Type the password you set when you created the key database
and click OK. The name of your key database file displays
in the File Name field.
- In the Key database content field, select Personal Certificates.
- Click Export/Import. The Export/Import key window
is displayed.
- Select Import Key.
- Select the Key file type of the certificate you
want to import, for example PKCS12.
- Type the certificate file name and location where the certificate is stored,
or click Browse to select the name and location.
- Click OK. The Password Prompt window displays.
- In the Password field, type the password used when
the certificate was exported.
- Click OK. The Select from Key Label List
window is displayed.
- From the list of certificate labels displayed, select the ones
that you want to import. Ensure that you include any CA (signer)
certificates that might be necessary to form a full chain for any personal
certificates you are importing. You do not need to include any that are
already in the target key database.
- Click OK. The Change Labels window is displayed.
This window allows the labels of certificates being imported to be changed
if, for example, a certificate with the same label already exists in the target
key database. Changing certificate labels has no effect on certificate chain
validation. This can be used to change the personal certificate
label to that required by WebSphere(R) MQ in order to associate the certificate
with the particular queue manager or client (ibmwebspheremqqm1 for
example).
- To change a label, select the required label from the Select a label to change: list. The label is copied into the Enter a new label: entry field. Replace the label text with that of the
new label and click Apply.
- The text in the Enter a new label: entry
field is copied back into the Select a label to change: field,
replacing the originally selected label and so relabelling the corresponding
certificate.
- When you have changed all the labels that needed to be changed,
click OK. The Change Labels window closes, and the original IBM(R) Key
Management window reappears with the Personal Certificates and Signer Certificates fields updated with the
correctly labeled certificates.
- The certificate is imported to the target key database.
To import a personal certificate using iKeycmd, use the following
commands:
- On UNIX:
gsk7cmd -cert -import -file filename -pw password -type pkcs12 -target filename
-target_pw password -target_type cms
- On Windows:
runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename
-target_pw password -target_type cms
where:
-file filename |
is the fully qualified file name of
the file containing the PKCS #12 certificate. |
-pw password |
is the password for the PKCS #12 certificate. |
-type pkcs12 |
is the type of the file. |
-target filename |
is the name of the destination CMS key database. |
-target_pw password |
is the password for the CMS key database. |
-target_type cms |
is the type of the database specified by -target |
It is not possible to change a certificate label using iKeycmd.
Importing from a Microsoft .pfx file
This section describes how to import from a Microsoft(R) .pfx file. A .pfx file may contain
two certificates relating to the same key. One is a personal or site certificate
(containing both a public and private key). The other is a CA (signer) certificate
(containing only a public key). These certificates cannot coexist in the same
CMS keystore, so only one of them can be imported. Also, the "friendly
name" or label is attached to only the signer certificate.
The personal certificate is identified by a system generated Unique User
Identifier (UUID). This section shows the import of a personal certificate
from a pfx file while labeling it with the friendly name previously assigned
to the CA (signer) certificate. The issuing CA (signer) certificates should
already be added to the target key database. Note that PKCS#12 files should
be considered temporary and deleted after use.
Follow these steps to import a personal certificate from a source pfx key
database:
- Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the
strmqikm command (on Windows). The IBM Key Management window is displayed.
- From the Key Database File menu, click Open. The Open window is displayed.
- Select a key database type of PKCS12.
- Select the pfx key database that you want to import. Click Open. The Password Prompt window is displayed.
- Enter the key database password and click OK. The IBM Key
Management window is displayed. The title bar shows the name of the selected
pfx key database file, indicating that the file is open and ready.
- Select Signer Certificates from the list. The "friendly
name" of the required certificate is displayed as a label in the Signer
Certificates panel.
- Select the label entry and click Delete to remove
the signer certificate. The Confirm window is displayed.
- Click Yes. The selected label is no longer displayed
in the Signer Certificates panel
- From the Key Database File menu, click Open. The Open window is displayed.
- Select the target key CMS database which the pfx file is being imported
into. Click Open. The Password Prompt window is displayed.
- Enter the key database password and click OK. The IBM Key
Management window is displayed. The title bar shows the name of the selected
key database file, indicating that the file is open and ready.
- Select Personal Certificates from the list.
- Click Import to import keys from the pfx key database.
The Import Key window is displayed.
- Click Export/Import key. The Export/Import key window
is displayed.
- Select Import from Choose Action Type
- Select the PKCS12 file.
- Enter the name of the pfx file as used in Step 4. Click OK. The Password Prompt window is displayed.
- Specify the same password that you specified when you deleted the signer
certificate. Click OK.
- The Change Labels window is displayed (as there should be only a single
certificate available for import). The label of the certificate should be
a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
- To change the label select the UUID from the Select a
label to change: panel. The label will be replicated into the Enter a new label: field. Replace the label text with that of the friendly
name that was deleted in Step 7 and click Apply.
- The text in the Enter a new label: field is replicated
back into the Select a label to change: panel, replacing
the originally selected label and so relabelling the personal certificate
with the required friendly name.
- Click OK. The Change Labels window is now removed
and the original IBM Key Management window reappears with the Personal Certificates
and Signer Certificates panels updated with the correctly labeled personal
certificate.
- The pfx personal certificate is now imported to the (target) database.
It is not possible to change a certificate label using iKeycmd.