Author |
Message
|
shelldweller |
Posted: Fri Aug 28, 2009 6:33 am Post subject: How to import personal certificate with gsk7cmd |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
I wonder if someone can help a poor man with importing personal certificate into my key database. I'm working on Linux with the latest MQ Client.
I'm having a bit of trouble with specifying a label for my PKCS#12 cert. If I do something like:
Code: |
gsk7cmd -cert -import -file personal.pfx -type pkcs12 -target
key.kdb -target_type cms -label ibmwebspheremq<name> |
I get the error: No key entry was found that has the specified key
label.
In MQ Security guide under the section "Importing from a Microsoft .pfx file" there are some instructions for working with key management GUI tool:
Quote: |
The Change Labels window is displayed (as there should be only a single certificate available for import). The label of the certificate should be a UUID which has a format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. |
and then later on:
Quote: |
It is not possible to change a certificate label using IKEYCMD or GSKCapiCmd. |
Is there a hack to load my personal cert on Linux? Or is my only solution to run MQ client on Windows?
Many thanks in advance![/quote] |
|
Back to top |
|
 |
exerk |
Posted: Fri Aug 28, 2009 6:45 am Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
What is the certificate you are trying to import, e.g. a self-signed certificate? If so, export it in Base 64 encoded ASCII format, which will then be easily importable. _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 6:50 am Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
No it's a real thing. I bought it from GeoTrust with Firefox and then exported it from there as PKCS#12 file. |
|
Back to top |
|
 |
exerk |
Posted: Fri Aug 28, 2009 7:01 am Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
shelldweller wrote: |
No it's a real thing. I bought it from GeoTrust with Firefox and then exported it from there as PKCS#12 file. |
I just tried a test with Firefox 3.5.2 and exported a certificate in PEM format, so try that instead of PKCS#12. Make sure you have the full GeoTrust chain in the key store into which you are importing your personal certificate.
And I always find it less painful to create the certificate request on the box where the certificate is to be used. _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 7:30 am Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
I'm not quite sure what to do with the PEM file. The MQ Security guide seems to talk only about importing personal certificate in PKCS #12 format and gsk7cmd -type option accepts only 2 values: "cms" and "pkcs12".
By the way to get my PKCS#12 file I used "backup" button in my FireFox (v.3.0.11). If I go to View -> Details -> Export I only see there PEM, DER and PKCS#7 options.
I completely agree with your comment about same platform. But it's a bit too late now (unless I request certificate reissue). This MQ Series project just fell upon my head and I have to learn as I work on it. So forgive me my ignorance. |
|
Back to top |
|
 |
exerk |
Posted: Fri Aug 28, 2009 7:37 am Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
shelldweller wrote: |
I'm not quite sure what to do with the PEM file. The MQ Security guide seems to talk only about importing personal certificate in PKCS #12 format and gsk7cmd -type option accepts only 2 values: "cms" and "pkcs12".
By the way to get my PKCS#12 file I used "backup" button in my FireFox (v.3.0.11). If I go to View -> Details -> Export I only see there PEM, DER and PKCS#7 options.
I completely agree with your comment about same platform. But it's a bit too late now (unless I request certificate reissue). This MQ Series project just fell upon my head and I have to learn as I work on it. So forgive me my ignorance. |
It's not ignorance, it's called being dropped in it from a great height - welcome to the MQ world!
Try: gsk7cmd -cert -import -file personal.pfx -pw <password> -type pkcs12 -target key.kdb -target_pw <password> _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 7:57 am Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
Hm, omitting the label did the trick. I was quite sure I tried this command before posting my question and got a complaint from gsk7cmd that label was required. Well I must have done something else then. User error.
I'll now need to figure out the label thing, but this points me to the right direction. Thank you.
 |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 8:35 am Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
Quote: |
I'll now need to figure out the label thing |
This makes me a bit dizzy. I can import my file (without -target_type and -label options):
Code: |
gsk7cmd -cert -import -file personal.pfx -type pkcs12 -target key.kdb |
And can see the thing in my key db:
Code: |
# gsk7cmd -cert -list personal -db key.kdb
A password is required to access this key database.
Please enter a password:
Certificates in database: ./key.kdb
firstname lastname's equifax secure inc. id |
What is my current label? If I try
Code: |
gsk7cmd -cert -details -label "firstname lastname's equifax secure inc. id" -db key.kdb |
gsk7cmd spits out eval errors.
What I really need to find out is how to import this certificate with a label that looks like "ibmwebspheremquserid". |
|
Back to top |
|
 |
exerk |
Posted: Fri Aug 28, 2009 8:52 am Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
Have a look HERE. _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 10:26 am Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
The article makes sense but to set a default certificate I need a label! How would I find it for the certificate that shows on my list like this: firstname lastname's equifax secure inc. id? |
|
Back to top |
|
 |
exerk |
Posted: Fri Aug 28, 2009 12:32 pm Post subject: |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
I've hit the limit of my knowledge on this one as I tend to use the GSKit to generate certificate requests, and receive the subsequent signed certificate. When I do the receive, it goes in with the label name I gave it at generation time (ibmwebsphermq<etc.>) and do not need to do anything with the label name, which seems to be embedded somewhere.
Try the following commands to see if they cast any light on it:
gsk7cmd -cert -list CA -db /var/mqm/qmgrs/<QMNAME>/ssl/<kdb name>.kdb -pw <password> -type cms
gsk7cmd -cert -list personal -db /var/mqm/qmgrs/<QMNAME>/ssl/<kdb name>.kdb -pw <password> -type cms
gsk7cmd -cert -getdefault -db /var/mqm/qmgrs/<QMNAME>/ssl/<kdb name>.kdb -pw <password> -type cms _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
shelldweller |
Posted: Fri Aug 28, 2009 12:56 pm Post subject: |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
It lists it with that weird default name (which I cannot use as label) and there is no default registered.
I agree the normal procedure would be to create a cert request and then import it. For some reason I was instructed to go and purchase the certificate and then import it. I wasn't asked for certificate request when buying the certificate. Whatever.
I think I've got enough frustration with this to do something radical: change run level on the server and reboot it in X11 mode . According to IBM docs GUI tool should do the trick.
Quote: |
I've hit the limit of my knowledge on this |
You've been more knowledgeable and supportive on this then the vendor with whom I am working in the project. The time you've spent answering my questions is greatly appreciated.
Cheers |
|
Back to top |
|
 |
shelldweller |
Posted: Wed Sep 09, 2009 6:59 am Post subject: gsk7ikm did the trick |
|
|
 Novice
Joined: 27 Aug 2009 Posts: 16
|
Adding personal certificate via GUI interface with gsk7ikm did the trick. The tool prompts me to change my label. Too bad there is no way to do this from command line. |
|
Back to top |
|
 |
exerk |
Posted: Wed Sep 09, 2009 11:48 am Post subject: Re: gsk7ikm did the trick |
|
|
 Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
shelldweller wrote: |
Adding personal certificate via GUI interface with gsk7ikm did the trick. The tool prompts me to change my label. Too bad there is no way to do this from command line. |
As far as I am aware, the GUI runs exactly the same commands as you would issue from the command line. When I get the opportunity, I'll have a hack around, see if I can find it, and feed back. Congratulations on getting it working, and thank you for posting the resolution. _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
 |
nhenshall |
Posted: Wed Oct 28, 2009 2:50 am Post subject: Re: gsk7ikm did the trick |
|
|
Novice
Joined: 20 Aug 2007 Posts: 13 Location: Paris, France
|
I have the same problem, I am at a site which prefers the command line over the GUI utility, so my resolution of using the GUI is somewhat against the norme. I presume that using the command line involves more steps which the GUI is hiding ?
exerk wrote: |
As far as I am aware, the GUI runs exactly the same commands as you would issue from the command line. |
|
|
Back to top |
|
 |
|