Export a certificate from IBM HTTP
To use a certificate with IBM HTTP, you will need to have created a key database using the gkcapicmd tool.
Using gskcmd
The first step is to locate gkcapicmd binaries. By default, they are located in the bin subdirectory from the install directory. The binaries are called gskcmd.bat on Windows and gskcmd on other platforms.
You can also use the gskcapicmd tool to run the majority of the same tasks. This tool purpose is to handle cryptographic supports like PKCS#11. The directory is the same. Binaries are named gskcapicmd.bat on Windows and gskcapicmd on other platforms.
Export certificate and key
First, you will need to get your key database . You can export the certificate either as a PKCS#12 file or as a Java Keystore (JKS). You can convert to PKCS#12 files for openssl-based software, like Apache. PKCS#12 example:
install_dir/bin/gskcmd -cert -export -legacy -db yourDatabase.kdb -statshed -stash yourDatabase.sth -target export.p12 -label monLabel -target_type pkcs12
Jaga Keystore (JKS) Example:
install_dir/bin/gskcmd -cert -export -legacy -db yourDatabase.kdb -statshed -stash yourDatabase.sth -target export.p12 -label myAlias -target_type JKS
Your certificate has now been exported and is ready to use.
You get the "pkcs12: Unrecognized flag legacy" error?
In this case, remove the "-legacy" parameter from the commands above
The version 3 of openSSL needs the "-legacy" parameter to generate a PFX compatible with older software. The version 1 of openSSL generate a compatible PFX directly.
Technical parameters of a PFX
use the following command to display the technical parameters of a PFX for debug:
openssl pkcs12 -noout -info -in file.pfx