FreeKB - IBM Global Security Kit (GSKit) Import a certificate into a Key Database file
IBM Global Security Kit (GSKit) - Import a certificate into a Key Database file

Let's say you have a key database file named key.kdb, and you want to add/import a certificate into key.kdb.

ls -l /shared/qmgrs/MANAGER01/ssl/

-rw------- 1 root root 1415 Jun  4  2020 key.kdb

 

The -add option (see below) can be used when the certificate being added exists in a .cer, .crt, or .pem file.

IMPORTANT

The certificate will be "trusted" in the kdb.

 

The -import option (see below) can be used when the certificate being added exists in a .p12 or .pfx file. 

IMPORTANT

The certificate will be "personal" in the kdb.

The p12 or pfx file must include the friendlyName attribute - The OpenSSL command with the -info and -in options can be used to display the contents of the P12 or PFX file.

 

IMPORTANT

When the objective is to update the KDB file to contain the certificate being used by an IBM IHS web server for SSL, -import MUST be used for server certificates (e.g. not a root or intermediate certificate) and -add should be used for root and intermediate certificates.

-import sets the certificate as "personal" in the KDB file

-add sets the certificate as "trusted" in the KDB file

In order for IHS to be able to produce SSL/HTTPS web pages, server certificates being used for SSL must be "personal" and root/intermediate certificates must be "trusted".  The list option can be used to determine if a certificate is "trusted" or "personal".

Additionally, when the objective is to update the KDB file to contain the server certificate being used by the IHS web server for SSL, you typically want to flag the server certificate being used for SSL as the default certificate in the KDB file. Technically, this is not required if the httpd.conf file has the "SSLServerCert" directive. Setting the server certificate as "default" tells IHS to use the "default" certificate in the KDB file when "SSLServerCert" is not found in the httpd.conf file.

 

Add.

${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-add
-file "source crt cer pem file"
-label "certificate name"
-db "key database kdb file"
-stashed or -target_pw "key database password"

 

Import - Notice the source password is not wrapped in double quotes. Wrapping the source password in double quotes can cause the import to fail.

${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-import
-file "source p12 or pfx file"
-pw source password
-type "source file type - cms | kdb | pkcs7 | pkcs12 | p12"
-target "target file - cms | kdb | pkcs11 | pkcs12 | p12"
-target_pw "target file password" or -stashed
-target_type "target file type - cms | kdb | pkcs11 | pkcs12 | p12"
-label "certificate name in source file"
-new_label "certificate name - optional"

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 52c2b in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |