Copying a certificate with its private key

To copy a certificate to a different key database format or to a different system with its private key, the certificate must be exported to a PKCS #12 formatted file. PKCS #12 files are password-protected to allow encryption of the private key information. From the Key Management Menu or Token Management Menu, select 1 - Manage keys and certificates to display a list of certificates with private keys. Find the label of the certificate to be copied and enter the number associated with the label. In the Key and Certificate Menu or Token Key and Certificate Menu, enter option 7 to export the certificate and private key to a file.

The Export File Format menu appears:

Figure 1. Export File Format

                                                                       
       Export File Format                                              
                                                                       
     1 - Binary PKCS #12 Version 1
     2 - Base64 PKCS #12 Version 1
     3 - Binary PKCS #12 Version 3
     4 - Base64 PKCS #12 Version 3                                     
                                                                       
Select export format (press ENTER to return to menu): 3 <enter>                
Enter export file name (press ENTER to return to menu): expfile.p12 <enter>
Enter export file password (press ENTER to return to menu): <enter password>
Re-enter export file password: <enter password>
Enter 1 for strong encryption, 0 for export encryption: 1 <enter>
        
Certificate and key exported.                                          
                                                                       
Press ENTER to continue.                                               
 ===>

Figure 2. Export File Format

                                                                       
       Export File Format                                              
                                                                       
     1 - Binary PKCS #12 Version 3
     2 - Base64 PKCS #12 Version 3                                     
                                                                       
Select export format (press ENTER to return to menu): 1 <enter>                
Enter export file name (press ENTER to return to menu): expfile.p12 <enter>
Enter export file password (press ENTER to return to menu): <enter password>
Re-enter export file password: <enter password>
Enter 1 for strong encryption, 0 for export encryption: 1 <enter>
        
Certificate and key exported.                                          
                                                                       
Press ENTER to continue.                                               
 ===>

The second display applies to z/OS® PKCS #11 tokens.

You are then prompted for what file format you would like for the exported certificate information.

The file format is determined by the support on the receiving system. In most cases the format to be used is Binary PKCS #12 Version 3. When the receiving system implementation is z/OS System SSL V1R2 or earlier, the selected format must be Binary PKCS #12 Version 1. z/OS PKCS #11 tokens only support Version 3 PKCS #12 export. Export from a FIPS database must be PKCS #12 Version 3 using strong encryption.

After selecting the export format, you are asked for a file name and password. You then receive a message indicating that the certificate was exported. You can now transfer this file to the system and import the certificate into the key database file or z/OS PKCS #11 token. If copying to a remote system, this file can now be transferred (in binary) to the remote system. For information about receiving the certificate into the key database file, see Importing a certificate from a file with its private key). Upon successfully receiving the certificate, the certificate can now be used to identify the program. For example, the certificate can be used as the SSL server program's certificate or it can be used as the SSL client program's certificate.