Importing a certificate from a file with its private key

To store a certificate into a different key database format or to a different system with its private key, the certificate must be exported from the source system into a PKCS #12 format file (See Copying a certificate with its private key for more information). PKCS #12 files are password-protected to allow encryption of the private key information. If the CA certificate that is being imported was signed by another CA certificate, the complete chain must be present in the key database file or z/OS® PKCS #11 token before the import. From the Key Management Menu or Token Management Menu , enter 8 to import a certificate and a private key:

Figure 1. Key Management Menu

                                                                
       Key Management Menu                                      
                                                                
       Database: /home/sufwl1/ssl_cmd/anne.kdb 
       Expiration Date: 2025/12/02  10:11:12  
                                                                
   1 - Manage keys and certificates                             
   2 - Manage certificates                                      
   3 - Manage certificate requests                            
   4 - Create new certificate request
   5 - Receive requested certificate or a renewal certificate 
   6 - Create a self-signed certificate                       
   7 - Import a certificate                                   
   8 - Import a certificate and a private key                 
   9 - Show the default key                                   
  10 - Store database password                                
  11 - Show database record length                            
                                                              
   0 - Exit program                                           
                                                                                                                           
                                                                                
Enter option number (press ENTER to return to previous menu): 8 <enter>                
Enter import file name (press ENTER to return to menu): cert.p12 <enter>                 
Enter import file password (press ENTER to return to menu): <enter password>                  
Enter label (press ENTER to return to menu): newcert <enter>                           
                                                                                
Certificate and key imported.                                                   
                                                                                
Press ENTER to continue.                                                        
 ===>

Figure 2. Token Management Menu

                                                                 
       Token Management Menu                                     
                                                                 
       Token: TOKENABC                                           

     Manufacturer: z/OS PKCS11 API
     Model: HCR77A0
     Flags: x00000509 (INITIALIZED, PROT AUTH PATH, USER PIN INIT, RNG)

   1 - Manage keys and certificates                              
   2 - Manage certificates                                                      
   3 - Manage certificate requests                                              
   4 - Create new certificate request
   5 - Receive requested certificate or a renewal certificate   
   6 - Create a self-signed certificate                                         
   7 - Import a certificate                                                     
   8 - Import a certificate and a private key                                   
   9 - Show the default key                                                     
  10 - Delete Token                                                  
                                                                                  
   0 - Exit program                                                             
                                                                                
Enter option number (press ENTER to return to previous menu): 8 <enter>                
Enter import file name (press ENTER to return to menu): cert.p12 <enter>                 
Enter import file password (press ENTER to return to menu): <enter password>
Enter label (press ENTER to return to menu): newcert <enter>                           
                                                                                
Certificate and key imported.                                                           
                                                                                
Press ENTER to continue.                                                        
====>

You are prompted to enter the certificate file name, password, and your choice of a unique label to be assigned to the certificate.

Once the certificate is imported, you receive a message indicating that import was successful. The next step is to determine whether the certificate should be marked as the database's or tokens default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate).

A certificate and key can be imported into a FIPS key database providing it is a PKCS #12 Version 3 with strong encryption format. When adding certificates from the import file to a FIPS key database file only certificates signed with FIPS signature algorithms using FIPS-approved key sizes may be imported. When processing a chain of certificates, processing of the chain terminates if a non-FIPS certificate is encountered. Certificates that are processed before the failing certificate is added to the key database file. It is the responsibility of the importer to ensure that the file came from a source meeting FIPS 140-2 criteria to maintain adherence to the FIPS criteria.