Importing a personal certificate into a key repository on UNIX, Linux, and Windows

Follow this procedure to import a personal certificate

Before importing a personal certificate in PKCS #12 format into the key database file, you must first add the full valid chain of issuing CA certificates to the key database file (see Adding a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows ).

PKCS #12 files should be considered temporary and deleted after use.

Using strmqikm

If you need to manage TLS certificates in a way that is FIPS-compliant, use the runmqakm command. strmqikm does not provide a FIPS-compliant option.

Perform the following steps on the machine to which you want to import the personal certificate:

Start the GUI using the strmqikm command .
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file to which you want to add the certificate, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
In the Key database content field, select Personal Certificates.
If there are certificates in the Personal Certificates view, follow these steps:
1. Click Export/Import. The Export/Import key window is displayed.
2. Select Import Key.
If there are no certificates in the Personal Certificates view, click Import.
Select the Key file type of the certificate you want to import, for example PKCS12.
Type the certificate file name and location where the certificate is stored, or click Browse to select the name and location.
Click OK. The Password Prompt window displays.
In the Password field, type the password used when the certificate was exported.
Click OK. The Change Labels window is displayed. You can change the labels of certificates being imported if, for example, a certificate with the same label already exists in the target key database. Changing certificate labels has no effect on certificate chain validation. To associate the certificate with a particular queue manager or IBM® MQ MQI client, IBM MQ uses either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client user logon ID appended, all in lowercase. See Digital certificate labels for details.
To change a label, select the required label from the Select a label to change list. The label is copied into the Enter a new label entry field. Replace the label text with that of the new label and click Apply.
The text in the Enter a new label entry field is copied back into the Select a label to change field, replacing the originally selected label and so relabelling the corresponding certificate.
When you have changed all the labels that needed to be changed, click OK. The Change Labels window closes, and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates fields updated with the correctly labeled certificates.
The certificate is imported to the target key database.

Using the command line

To import a personal certificate using runmqckm, use the following command:

On UNIX, Linux®, and Windows:


runmqckm -cert -import -file filename -pw password -type pkcs12 -target filename
-target_pw password -target_type cms -label label

where:

-file filename is the fully qualified file name of the file containing the PKCS #12 certificate.

-pw password is the password for the PKCS #12 certificate.

-type pkcs12 is the type of the file.

-target filename is the name of the destination CMS key database.

-target_pw password is the password for the CMS key database.

-target_type cms is the type of the database specified by -target

-label label is the label of the certificate to import from the source key database.

-new_label label is the label that the certificate will be assigned in the target database. If you omit -new_label option, the default is to use the same as the -label option.

-fips specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.

runmqckm does not provide a command to change certificate labels directly. Use the following steps to change a certificate label:

Export the certificate to a PKCS #12 file using the -cert -export command. Specify the existing certificate label for the -label option.
Remove the existing copy of the certificate from the original key database using the -cert -delete command.
Import the certificate from the PKCS #12 file using the -cert -import command. Specify the old label for the -label option and the required new label for the -new_label option. The certificate will be imported back into the key database with the required label.