Often its necessary to import a private key and corresponding signed certificates in a WebSphere/IBM HTTP Server key file. One such instance is when the company global *.company.com certificate is updated by another team and you are given an exported key and certificate in the forms of a PEM key and a x509 certificate chain.
This method converts your key and certificate in a PKCS12 file which can then be imported into a WebSphere KDB/CMS file.
- PKCS12 conversion:
- If necessary create a new kdb (CMS) file:
gsk7cmd -keydb -create -db <new keyfile>.kdb -type cms -stashEnter a new password
- Ensure your signing authority is in the destination .kdb file:
gsk7cmd -cert -list -db <keyfile>.kdb -pw <password>If necessary add the CA certificate from the signing auth using
gsk7 -cert -addcommand.
- Import new PKCS12 file into new or existing keyfile
gsk7cmd -cert -import -file <PKCS file>.p12 -type pkcs12 -target <new/existing KDB>.kdb -target_type cms -target_pw <.kdb file passwd> -pw <PKCS12 passwd>Although its poor security to pass the password as an argument (and therefore saved to the shell history), I've noticed that .kdb/CMS handling doesn't always detect a password is required and bombs outs thinking there is a corruption.
openssl pkcs12 -in <certificate>.crt -inkey <keyfile>.pem -export -out <output file>.p12 -name "<alias>" -keypbe PBE-SHA1-RC2-40 -certpbe PBE-SHA1-RC2-40
Enter a password used to safeguard the PKCS12 and the private key within.
Where <value> is filled in accordingly:
|certificate||an x509 encoded certificate received from the CA|
|keyfile||a PEM encoded private key|
|output file||the output PKCS12 you wish to create|
|alias||The name of key/cert pair. Eg. "www.mycompang.com - 20090101 - 20100101"|
(The arguments to -certpbe and -keypbe are necessary to create gsk7 compatible PKCS12 files)