Often its necessary to import a private key and corresponding signed certificates in a WebSphere/IBM HTTP Server key file. One such instance is when the company global * certificate is updated by another team and you are given an exported key and certificate in the forms of a PEM key and a x509 certificate chain.

This method converts your key and certificate in a PKCS12 file which can then be imported into a WebSphere KDB/CMS file.

  1. PKCS12 conversion:
  2. openssl pkcs12 -in <certificate>.crt -inkey <keyfile>.pem -export -out <output file>.p12 -name "<alias>" 

    Enter a password used to safeguard the PKCS12 and the private key within.

    Where <value> is filled in accordingly:

    certificate an x509 encoded certificate received from the CA
    keyfile a PEM encoded private key
    output file the output PKCS12 you wish to create
    alias The name of key/cert pair. Eg. " - 20090101 - 20100101"
    (The arguments to -certpbe and -keypbe are necessary to create gsk7 compatible PKCS12 files) 
  3. If necessary create a new kdb (CMS) file:
    gsk7cmd -keydb -create -db <new keyfile>.kdb -type cms -stash
    Enter a new password
  4. Ensure your signing authority is in the destination .kdb file:
    gsk7cmd -cert -list -db <keyfile>.kdb -pw <password>
    If necessary add the CA certificate from the signing auth using
    gsk7 -cert -add
  5. Import new PKCS12 file into new or existing keyfile
    gsk7cmd -cert -import -file <PKCS file>.p12 -type pkcs12 -target <new/existing KDB>.kdb -target_type cms -target_pw <.kdb file passwd> -pw <PKCS12 passwd>
    Although its poor security to pass the password as an argument (and therefore saved to the shell history), I've noticed that .kdb/CMS handling doesn't always detect a password is required and bombs outs thinking there is a corruption.