Let's say you have a key database file named key.kdb, and you want to add/import a certificate into key.kdb.
ls -l /opt/ssl
-rw------- 1 root root 1415 Jun 4 2020 key.kdb
The -add option (see below) is used when the certificate being added exists in a .cer or .crt or .pem file.
IMPORTANT
The certificate will be "trusted" in the key database file.
The -import option (see below) is used when the certificate being added exists in a .p12 or .pfx file.
IMPORTANT
The certificate will be "personal" in the key database file.
The p12 or pfx file must include the friendlyName attribute - The OpenSSL command with the -info and -in options can be used to display the contents of the P12 or PFX file.
IMPORTANT
When the objective is to update the KDB file to contain the certificate being used by an IBM IHS web server for SSL, -import MUST be used for server certificates (e.g. not a root or intermediate certificate) and -add should be used for root and intermediate certificates.
-import sets the certificate as "personal" in the KDB file
-add sets the certificate as "trusted" in the KDB file
In order for IHS to be able to produce SSL/HTTPS web pages, server certificates being used for SSL must be "personal" and root/intermediate certificates must be "trusted". The list option can be used to determine if a certificate is "trusted" or "personal".
Use the following command when the certificate being added exists in a .cer or .crt or .pem file.
${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-add
-file "source crt cer pem file"
-label "certificate name"
-db "key database kdb file"
-stashed or -target_pw "key database password"
Use the following command when the certificate being added exists in a .p12 or .pfx file.
AVOID TROUBLE
Notice the source password is not wrapped in double quotes. Wrapping the source password in double quotes can cause the import to fail.
${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-import
-file "source file, such as foo.p12 or foo.pfx"
-pw source file password
-type "source file type, such p12 or pkcs12"
-label "certificate name in source file"
-new_label "certificate name - optional"
-target "target KDB file, such as bar.kdb"
-target_type kdb
-stashed or -target_pw "target KDB file password"
The -validate flag can then be used to determine if the certificates in the Key Database are valid.
~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -validate -db /path/to/example.kdb -stashed
my_root_ca : OK
my_intermediate_certificate : OK
my_server_certificate : OK
Did you find this article helpful?
If so, consider buying me a coffee over at