HCL Workload Automation, Version 9.4

Converting PEM certificates to CMS certificates

This section describes the procedure to convert PEM (OpenSSL) certificates to CMS (GSKit) certificates. The examples in this section use the following input and output files.

Input files

Personal certificate file: CPU1.crt
Personal key of certificate file: CPU1.key
Certificate of CA file: TWSca.crt
Stash file: CPU1.sth

Output files

Keystore database file: TWS.kdb
Stash file: TWS.sth
Label of your certificate: CPU1

To migrate OpenSSL certificates to GSKit certificates, perform the following procedure:
  1. Merge the public and private keys in a new temporary file called all.pem by running the following commands:
    UNIX
    cat CPU2.crt CPU2.key > all.pem
    Windows
    type CPU1.crt CPU1.key > all.pem
  2. If you do not already know the password, extract it from the stash file by running openssl base64 -d -in CPU1.sth.
  3. Choose a password for the new keystore database. You can reuse the old password.
  4. Choose a label for your personal certificate and personal key (in this example, CPU1) and create the PKCS12 database that contains the labels. You use the name, CPU1, as the label of the new keystore database. To create the PKCS12 database, run the following:
     openssl pkcs12 -export -in all.pem -out TWS.p12 -name CPU1  -passin pass:
              password1 -passout pass:password2
    where password1 is the password extracted from the stash file and password2 is is the new password to manage the new keystore database.
  5. Convert the PKCS12 database from TWS.p12 to the CMS database, TWS.kdb by running the following:
    gsk7capicmd -cert -import -target TWS.kdb -db TWS.p12 -target_type cms 
              -type pkcs12 -label CPU1 -target_pw "password2" -pw "password3"
    where password2 is the old password that you extracted from the stash file, CPU1.sth and password3 is the new password.
  6. Choose a label for your Certification Authority contained in TWSca.crt. For this example, it is TWSca.
  7. Add the certificate of the Certification Authority into your TWS.kdb file by running:
    gsk7capicmd -cert -add -db TWS.kdb -label TWSca -trust -file TWSca.crt 
            -format ascii -pw "password"
  8. Delete all .pem files.