Transferring certificates

This section tells you how to perform the following tasks:

Extracting a CA certificate from a key repository

Perform the following steps on the machine from which you want to extract the CA certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX(R)) or the strmqikm command (on Windows(R)).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Signer Certificates and select the certificate you want to extract.
  9. Click Extract. The Extract a Certificate to a File window displays.
  10. Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
  11. Type the certificate file name and location where you want to store the certificate, or click Browse to select the name and location.
  12. Click OK. The certificate is written to the file you specified.

Use the following commands to extract a CA certificate using iKeycmd:

where:

-db filename is the fully qualified path name of a CMS key database.
-pw password is the password for the CMS key database.
-label label is the label attached to the certificate.
-target filename is the name of the destination file.
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

Extracting the CA part of a self-signed certificate from a key repository

Perform the following steps on the machine from which you want to extract the CA part of a self-signed certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Personal Certificates and select the certificate you want to extract.
  9. Click Extract certificate. The Extract a Certificate to a File window displays.
  10. Select the Data type of the certificate, for example Base64-encoded ASCII data for a file with the .arm extension.
  11. Type the certificate file name and location where you want to store the certificate, or click Browse to select the name and location.
  12. Click OK. The certificate is written to the file you specified. Note that when you extract (rather than export) a certificate, only the public part of the certificate is included, so a password is not required.

Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository

If the certificate that you want to add is in a certificate chain, you must also add all the certificates that are above it in the chain. You must add the certificates in strictly descending order starting from the root, followed by the CA certificate immediately below it in the chain, and so on.

Perform the following steps on the machine on which you want to add the CA certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Signer Certificates and select the certificate you want to add.
  9. Click Add. The Add CA's Certificate from a File window displays.
  10. Select the Data type of the certificate you transferred, for example Base64-encoded ASCII data for a file with the .arm extension.
  11. Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
  12. Click OK. The Enter a Label window displays.
  13. In the Enter a Label window, type the name of the certificate.
  14. Click OK. The certificate is added to the key database.

Use the following commands to add a CA certificate using iKeycmd:

where:

-db filename is the fully qualified path name of the CMS key database.
-pw password is the password for the CMS key database.
-label label is the label attached to the certificate.
-file filename is the name of the file containing the certificate.
-format ascii is the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.

Exporting a personal certificate from a key repository

Perform the following steps on the machine from which you want to export the personal certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Personal Certificates and select the certificate you want to export.
  9. Click Export/Import. The Export/Import key window displays.
  10. Select Export Key.
  11. Select the Key file type of the certificate you want to export, for example PKCS12.
  12. Type the file name and location to which you want to export the certificate, or click Browse to select the name and location.
  13. Click OK. The Password Prompt window displays. Note that when you export (rather than extract) a certificate, both the public and private parts of the certificate are included. This is why the exported file is protected by a password. When you extract a certificate, only the public part of the certificate is included, so a password is not required.
  14. Type a password in the Password field, and type it again in the Confirm Password field.
  15. Click OK. The certificate is exported to the file you specified.

Use the following commands to export a personal certificate using iKeycmd:

where:

-db filename is the fully qualified path name of the CMS key database.
-pw password is the password for the CMS key database.
-label label is the label attached to the certificate.
-type cms is the type of the database.
-target filename is the name of the destination file.
-target_pw password is the password for encrypting the certificate.
-target_type pkcs12 is the type of the certificate.

Importing a personal certificate into a key repository

Before importing a personal certificate in PKCS #12 format into the key database file, you must first add the full valid chain of issuing CA certificates to the key database file (see Adding a CA certificate (or the CA part of a self-signed certificate) into a key repository).

PKCS #12 files should be considered temporary and deleted after use.

Note that you cannot import a personal certificate that has multiple OU attributes.

Perform the following steps on the machine to which you want to import the personal certificate:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Personal Certificates.
  9. Click Export/Import. The Export/Import key window is displayed.
  10. Select Import Key.
  11. Select the Key file type of the certificate you want to import, for example PKCS12.
  12. Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
  13. Click OK. The Password Prompt window displays.
  14. In the Password field, type the password used when the certificate was exported.
  15. Click OK. The Select from Key Label List window is displayed.
  16. From the list of certificate labels displayed, select the ones that you want to import. Ensure that you include any CA (signer) certificates that might be necessary to form a full chain for any personal certificates you are importing. You do not need to include any that are already in the target key database.
  17. Click OK. The Change Labels window is displayed. This window allows the labels of certificates being imported to be changed if, for example, a certificate with the same label already exists in the target key database. Changing certificate labels has no effect on certificate chain validation. This can be used to change the personal certificate label to that required by WebSphere(R) MQ in order to associate the certificate with the particular queue manager or client (ibmwebspheremqqm1 for example).
  18. To change a label, select the required label from the Select a label to change: list. The label is copied into the Enter a new label: entry field. Replace the label text with that of the new label and click Apply.
  19. The text in the Enter a new label: entry field is copied back into the Select a label to change: field, replacing the originally selected label and so relabelling the corresponding certificate.
  20. When you have changed all the labels that needed to be changed, click OK. The Change Labels window closes, and the original IBM(R) Key Management window reappears with the Personal Certificates and Signer Certificates fields updated with the correctly labeled certificates.
  21. The certificate is imported to the target key database.

To import a personal certificate using iKeycmd, use the following commands:

where:

-file filename is the fully qualified file name of the file containing the PKCS #12 certificate.
-pw password is the password for the PKCS #12 certificate.
-type pkcs12 is the type of the file.
-target filename is the name of the destination CMS key database.
-target_pw password is the password for the CMS key database.
-target_type cms is the type of the database specified by -target

It is not possible to change a certificate label using iKeycmd.

Importing from a Microsoft .pfx file

This section describes how to import from a Microsoft(R) .pfx file. A .pfx file may contain two certificates relating to the same key. One is a personal or site certificate (containing both a public and private key). The other is a CA (signer) certificate (containing only a public key). These certificates cannot coexist in the same CMS keystore, so only one of them can be imported. Also, the "friendly name" or label is attached to only the signer certificate.

The personal certificate is identified by a system generated Unique User Identifier (UUID). This section shows the import of a personal certificate from a pfx file while labeling it with the friendly name previously assigned to the CA (signer) certificate. The issuing CA (signer) certificates should already be added to the target key database. Note that PKCS#12 files should be considered temporary and deleted after use.

Follow these steps to import a personal certificate from a source pfx key database:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows). The IBM Key Management window is displayed.
  2. From the Key Database File menu, click Open. The Open window is displayed.
  3. Select a key database type of PKCS12.
  4. Select the pfx key database that you want to import. Click Open. The Password Prompt window is displayed.
  5. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected pfx key database file, indicating that the file is open and ready.
  6. Select Signer Certificates from the list. The "friendly name" of the required certificate is displayed as a label in the Signer Certificates panel.
  7. Select the label entry and click Delete to remove the signer certificate. The Confirm window is displayed.
  8. Click Yes. The selected label is no longer displayed in the Signer Certificates panel
  9. From the Key Database File menu, click Open. The Open window is displayed.
  10. Select the target key CMS database which the pfx file is being imported into. Click Open. The Password Prompt window is displayed.
  11. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected key database file, indicating that the file is open and ready.
  12. Select Personal Certificates from the list.
  13. Click Import to import keys from the pfx key database. The Import Key window is displayed.
  14. Select the PKCS12 file.
  15. Enter the name of the pfx file as used in Step 4. Click OK. The Password Prompt window is displayed.
  16. Specify the same password that you specified when you deleted the signer certificate. Click OK.
  17. The Change Labels window is displayed (as there should be only a single certificate available for import). The label of the certificate should be a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
  18. To change the label select the UUID from the Select a label to change: panel. The label will be replicated into the Enter a new label: field. Replace the label text with that of the friendly name that was deleted in Step 7 and click Apply.
  19. The text in the Enter a new label: field is replicated back into the Select a label to change: panel, replacing the originally selected label and so relabelling the personal certificate with the required friendly name.
  20. Click OK. The Change Labels window is now removed and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates panels updated with the correctly labeled personal certificate.
  21. The pfx personal certificate is now imported to the (target) database.

It is not possible to change a certificate label using iKeycmd.