This assumes you have reviewed Getting Started with IBM Global Security Kit (GSKit) and that you have created a key database.
You can use either the -add or -import options to add a certificate into the Key Database.
When the objective is to update the KDB file to contain the certificate being used by the IHS web server for SSL, -import MUST be used. The reason -import must be used is because the -add option would set the certificate as a "trusted" certificate in the KDB file. The -import option sets the certificate as "personal" in the KDB file. In order for IHS to be able to produce SSL/HTTPS web pages, the certificate being used for SSL must be "personal". The list option can be used to determine if a certificate is "trusted" or "personal".
Additionally, when the objective is to update the KDB file to contain the certificate being used by the IHS web server for SSL, you typically want to flag the certificate being used for SSL as the default certificate in the KDB file. Technically, this is not required if the httpd.conf file has the "SSLServerCert" directive. Setting the certificate as "default" tells IHS to use the "default" certificate in the KDB file when "SSLServerCert" is not found in the httpd.conf file.
ihs_home/gsk8/bin/gsk8capicmd_64 -cert -add -file "source crt cer pem file" -label "certificate name" -db "key database kdb file" -stashed or -target_pw "key database password"
Import - Notice the source password is not wrapped in double quotes. Wrapping the source password in double quotes can cause the import to fail.
ihs_home/gsk8/bin/gsk8capicmd_64 -cert -import -file "source p12 or pfx file" -pw source password -type "source file type - cms | kdb | pkcs7 | pkcs12 | p12" -target "target file - cms | kdb | pkcs11 | pkcs12 | p12" -target_pw "target file password" or -stashed -target_type "target file type - cms | kdb | pkcs11 | pkcs12 | p12" -label "certificate name in source file" -new_label "certificate name - optional"