View Only
  • 1.  Import pem file

    Posted Tue January 09, 2024 02:56 PM

    Good morning, I need some help importing a certificate from Digicert, the file is in PEM format.
    I have read the documentation, the first step is to create a new database.

    Here is the command:

    runmqckm -keydb -create -db key.kdb -pw <password> -stash

    I haven't understood if I should use the command runmqakm -cert -import or runmqckm -cert -add to add the certificate.

    Could you please help me?

    Emanuel Gonzalez

  • 2.  RE: Import pem file
    Best Answer

    IBM Champion
    Posted Tue January 09, 2024 05:37 PM


    runmqckm -cert -add must be used to add a certificate linked to a certification chain to a store, the certificate being in .crt, .pem, ... format.
    This is typically the case for a CA certificate.

    runmqakm -cert -import must be used to import a personal certificate, which contains a certificate and its private key in a file in pkcs12 (.pfx or .p12) format.

    HTH, LMD.

    Luc-Michel Demey

  • 3.  RE: Import pem file

    Posted Thu February 08, 2024 10:02 AM

    I have read the documentation several times but I feel very confused, I have two files of my private-stage.key private-stage.pem certificate and mqm-stage.csr.

    First I created the vault with the following command:

    [mqm@ibm-mq-1a ssl]$ runmqakm -keydb -create -db key.kdb -pw PASSWORD -stash

    I try to import the csr but I see this error:

    [mqm@ibm-mq-1a ssl]$ runmqakm -cert -receive -file /home/mqm/mqm-stage.csr -db key.kdb
    Source database password : 
    CTGSK3026W The key file "/home/mqm/mqm-stage.csr" does not exist or cannot be read.
    CTGSK2017W An invalid database file type was encountered.CTGSK3009W One or more certificates in the keystore could not be loaded.

    The file does exist in the path.

    What am I doing wrong?

    Emanuel Gonzalez

  • 4.  RE: Import pem file

    IBM Champion
    Posted Fri February 09, 2024 05:41 AM

    If you have 2 pem files containing the key and the certificate and its signerchain, you first must use openssl to create a pks12 file where you set the key + certificates into 1 container. Make sure you assign a label to the certificate / key when using openssl.

    then you can run

    # the password for the the pkcs12 file gets prompted
    # the target_stashed avoids to enter the password for the kdb file
    # if you don't have a stash file yet, omit the -target_stashed param and get prompted for the password
    runmqakm -cert -import -db store.p12 -dbtype pkcs12 -target mykdb.kdb -target_stashed

    The corresponding openssl commands can be found browsing the web.

    Hope it helps

    Francois Brandelik

  • 5.  RE: Import pem file

    Posted Fri February 09, 2024 08:53 AM

    What I'm doing wrong I don't understand???

    [mqm@ibm-mq-1a ~]$ runmqckm -cert -import -file /home/mqm/archivo.p12 -pw PASSWORD -type p12 -target /var/mqm/qmgrs/KIUPNRS/ssl/key.kdb

    The input file '/home/mqm/archivo.p12' could not be found.

    Check the database path.

    Emanuel Gonzalez

  • 6.  RE: Import pem file

    IBM Champion
    Posted Mon February 12, 2024 05:36 AM
    Edited by Francois Brandelik Mon February 12, 2024 05:43 AM

    Change your command to the following

    runmqakm -cert -import -db /home/mqm/archivo.p12 -pw PASSWORD -type p12 -target /var/mqm/qmgrs/KIUPNRS/ssl/key.kdb

    Notice the use of runmqakm instead of runmqckm, the use of -import -db instead of -import -file....

    You can also use runmqakm -cert -import -? to view the syntax...

    And make sure the .p12 file has the right permissions to be read by the user running the command

    Francois Brandelik