Import a certificate of a key database that is created
with an earlier version of GSKCapiCmd commands
to another key database with a later version of GSKCapiCmd commands.
Before you begin
To export a certificate from a source computer and to import
the certificate on a target computer, the following conditions must
be met:
- The source computer must contain an earlier version of GSKit.
- The target computer must contain a later version of GSKit. IBM® Security Directory
Server, Version 6.4 requires GSKit, Version 8.0.55.26.
About this task
If you have a valid key database file with a certificate
created with an earlier version of GSKCapiCmd commands,
export the certificate to a target computer.
Reuse the certificate with a key database file created with later version of
GSKCapiCmd commands to resolve compatibility issues with later version of
GSKit.
Procedure
-
Log in as a directory server instance owner to the computer that contains an earlier version
GSKit. For example, GSKit, version 7.
- To create a
CMS
key database, run the
following command: Note: If your computer contains 32-bit GSKit, use the gsk7capicmd command. If your computer contains 64-bit GSKit, use the gsk7capicmd_64
command.
gsk7capicmd -keydb -create -db source.kdb -pw myPwd123 -type cms
-expire 1000 -stash -fips
- To create a self-signed certificate with a key size of
2048
and
a hashing algorithm of sha384
, run the following
command: gsk7capicmd -cert -create -db source.kdb -pw myPwd123 -label testlabel
-dn "cn=LDAP_Server.com,ou=myDept,o=sample" -size 2048 -fips
-sigalg sha384 -expire 1000
- To export a certificate with a specific label from a
CMS
key
database to another CMS
key database in /transfer/ directory,
run the following command: gsk7capicmd -cert -export -db source.kdb -pw myPwd123 -label testlabel -type cms
-target /transfer/test.kdb -target_pw myPwd123 -target_type cms
- To verify the certificate in the /transfer/test.kdb file,
run the following command:
gsk7capicmd -cert -list -db /transfer/test.kdb -pw myPwd123
- Transfer the key database and its related files in the /transfer/ directory
to the target computer.
-
To import the certificate from a
CMS
key database to another
CMS
key database, run the following command from a later version of GSKit:
Note: If your computer contains 32-bit GSKit, use the gsk8capicmd command. If your
computer contains 64-bit GSKit, use the
gsk8capicmd_64
command.
gsk8capicmd_64 -cert -import -db /transfer/test.kdb -pw myPwd123 -label testlabel
-type cms -target /target/target.kdb -target_pw myPwd123 -target_type cms
-new_label testlabel
If
the command completes the operation successfully, the certificate is available in both the source
and target key databases.
- To verify the certificate in the /target/target.kdb file,
run the following command:
gsk8capicmd_64 -cert -list -db /target/target.kdb -pw myPwd123
What to do next
To use the key database with the imported certificates in
a directory server instance, add the key database files and related
details in the instance.