[AIX, Linux, Windows]

Importing a personal certificate from a Microsoft .pfx file

Follow this procedure to import a certificate from a Microsoft .pfx file on AIX®, Linux®, and Windows.

A .pfx file can contain two certificates relating to the same key. One is a personal or site certificate that contains both a public and private key. The other is a CA (signer) certificate that contains only a public key. These certificates cannot coexist in the same CMS key repository, so only one of them can be imported.

The certificate label is attached to only the signer certificate. The personal certificate is identified by a system generated Unique User Identifier (UUID). Follow this procedure to import a personal certificate from a .pfx file and set the personal certificate label to the label that is assigned to the CA certificate in the .pfx file. The issuing CA certificates should already be added to the target key database.

Using runmqakm

Issue the following command to import a certificate from a .pfx file with the runmqakm command: 
runmqakm -cert -import -file filename -pw password -type pkcs12
         -target filename -target_pw password -target_type type
         -label label -new_label label -fips -pfx
where:
-file filename
Specifies the fully qualified name of the .pfx file.
-pw password
Specifies the password for the .pfx file.
-type pkcs12
Specifies the type of the key repository.
-target filename
Specifies the fully qualified file name of the destination key repository. The key repository is created if it does not exist.
-target_pw password
Specifies the password for the destination key repository.
-target_type type
Specifies the type of the destination key repository. The value can be cms or pkcs12. The default is cms.
-label label
Specifies the label of the certificate to import from the source key repository. The certificate label is case-sensitive.
-new_label label
Specifies the label that is assigned to the certificate in the target key repository. If this parameter is not specified, the same label is assigned to the certificate as in the source key repository.
-fips
Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM® Crypto for C (ICC) component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-pfx
Indicates that the source key repository uses the PFX format.
For more information about these parameters and the values that can be specified, see runmqakm -cert.