Importing from a Microsoft .pfx file

Folow this procedure to mport from a Microsoft .pfx file using iKeyman. You cannot use runmqakm to import a .pfx file.

A .pfx file can contain two certificates relating to the same key. One is a personal or site certificate (containing both a public and private key). The other is a CA (signer) certificate (containing only a public key). These certificates cannot coexist in the same CMS key database file, so only one of them can be imported. Also, the "friendly name" or label is attached to only the signer certificate.

The personal certificate is identified by a system generated Unique User Identifier (UUID). This section shows the import of a personal certificate from a pfx file while labeling it with the friendly name previously assigned to the CA (signer) certificate. The issuing CA (signer) certificates should already be added to the target key database. Note that PKCS#12 files should be considered temporary and deleted after use.

Follow these steps to import a personal certificate from a source pfx key database:

1. Start the iKeyman GUI using the strmqikm command (on Linux®, UNIX or Windows). The IBM® Key Management window is displayed.
2. From the Key Database File menu, click Open. The Open window is displayed.
3. Select a key database type of PKCS12.
4. You are recommended to take a backup of the pfx database before performing this step. Select the pfx key database that you want to import. Click Open. The Password Prompt window is displayed.
5. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected pfx key database file, indicating that the file is open and ready.
6. Select Signer Certificates from the list. The "friendly name" of the required certificate is displayed as a label in the Signer Certificates panel.
7. Select the label entry and click Delete to remove the signer certificate. The Confirm window is displayed.
8. Click Yes. The selected label is no longer displayed in the Signer Certificates panel.
9. Repeat steps 6, 7, and 8 for all the signer certificates.
10. From the Key Database File menu, click Open. The Open window is displayed.
11. Select the target key CMS database which the pfx file is being imported into. Click Open. The Password Prompt window is displayed.
12. Enter the key database password and click OK. The IBM Key Management window is displayed. The title bar shows the name of the selected key database file, indicating that the file is open and ready.
13. Select Personal Certificates from the list.
14. If there are certificates in the Personal Certificates view, follow these steps:
    1. Click Export/Import key. The Export/Import key window is displayed.
    2. Select Import from Choose Action Type.
15. If there are no certificates in the Personal Certificates view, click Import.
16. Select the PKCS12 file.
17. Enter the name of the pfx file as used in Step 4. Click OK. The Password Prompt window is displayed.
18. Specify the same password that you specified when you deleted the signer certificate. Click OK.
19. The Change Labels window is displayed (as there should be only a single certificate available for import). The label of the certificate should be a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
20. To change the label select the UUID from the Select a label to change: panel. The label will be replicated into the Enter a new label: field. Replace the label text with that of the friendly name that was deleted in Step 7 and click Apply. The friendly name must be in the form ibmwebspheremq, followed by the queue manager name or the WebSphere® MQ MQI client user logon ID in lowercase.
21. Click OK. The Change Labels window is now removed and the original IBM Key Management window reappears with the Personal Certificates and Signer Certificates panels updated with the correctly labeled personal certificate.
22. The pfx personal certificate is now imported to the (target) database.

It is not possible to change a certificate label using iKeycmd