picture of tbs certificates
picture of tbs certificates
Our products range

Export a certificate from IBM HTTP

To use a certificate with IBM HTTP, you will need to have created a key database using the gkcapicmd tool.

Using gskcmd

The first step is to locate gkcapicmd binaries. By default, they are located in the bin subdirectory from the install directory. The binaries are called gskcmd.bat on Windows and gskcmd on other platforms.

You can also use the gskcapicmd tool to run the majority of the same tasks. This tool purpose is to handle cryptographic supports like PKCS#11. The directory is the same. Binaries are named gskcapicmd.bat on Windows and gskcapicmd on other platforms.

Export certificate and key

First, you will need to get your key database . You can export the certificate either as a PKCS#12 file or as a Java Keystore (JKS). You can convert to PKCS#12 files for openssl-based software, like Apache. PKCS#12 example:

install_dir/bin/gskcmd -cert -export -legacy -db yourDatabase.kdb -statshed -stash yourDatabase.sth -target export.p12 -label monLabel -target_type pkcs12

Jaga Keystore (JKS) Example:

install_dir/bin/gskcmd -cert -export -legacy -db yourDatabase.kdb -statshed -stash yourDatabase.sth -target export.p12 -label myAlias -target_type JKS

Your certificate has now been exported and is ready to use.

You get the "pkcs12: Unrecognized flag legacy" error?

In this case, remove the "-legacy" parameter from the commands above

The version 3 of openSSL needs the "-legacy" parameter to generate a PFX compatible with older software. The version 1 of openSSL generate a compatible PFX directly.

Technical parameters of a PFX

use the following command to display the technical parameters of a PFX for debug:

openssl pkcs12 -noout -info -in file.pfx

See also