Can found following section in APM 8.1.4 document when available.
Importing keys from Internet Information Services
To extract keys from Internet Information Services and import them into
the KT5Keystore, complete the following steps:
1. Install a Response Time Monitoring agent on each HTTPS web server
that you want to monitor.
2. Export a .pfx file from Internet Information Services:
a. From the Windows Start menu, select Administrative Tools > Internet
Information Services (IIS) Manager.
b. Select the web server and site whose private key you want to export,
right-click and select Properties from the context menu.
c. Select the Directory Security tab, then select Server Certificate in
Secure communications section.
d. In the IIS Certificate Wizard, click Next.
e. Select Export the current certificate to a .pfx file and click Next.
f. Enter the path and file name and click Next.
g. Enter an export password for the key and click Next.
h. Click Next on all subsequent pages, then click Finish.
3. Extract Personal and Signer Certificates from the .pfx file:
a.Run IBM Key Management (iKeyman) from within the IBM Java bin
directory using the command c:\IBM\APM\java\java80_x64\jre\bin\ ikeyman.
Ensure that the environment variable JAVA_HOME is set.
b.In the Keystore database, select File > Open.
c.From the Key database type list, select PKCS12.
d.Enter the name and path for the .pfx file you created above, then
click OK. When prompted, enter the password, then click OK.
e.Select Key Database Content > Personal Certificates, then click
f.Select an Action Type of Export Key and a Key File Type of PKCS12.
Enter a file name and location for the exported key and click OK. When
prompted, enter an export password, then click OK again.
g.If the Personal Certificate was signed by a Certificate Authority,
select Key Database Content > Signer Certificates and click Extract.
Select the default file type, and enter a file name and location for the
exported certificate, then click OK.
4. Extract Signer .cer files (if needed):
a. If a Signer Certificates file was extracted from the .pfx file,
navigate to the directory where it was saved, and make a new copy with
the extension .cer. Double-click the new copy to open it using the
Windows Certificate viewer.
b. On the Certification Path tab, you can view the signer certificate
chain. The lowest item in the chain should be the Personal Certificate.
For all certificates above it, do the following:
1) Select a certificate and click View Certificate.
2) Select Details and click Copy to File.
3) Accept all defaults in the Certificate Export Wizard and enter a
filename with the .cer extension.