Maybe you need to solve a similar problem as I had to.
You can find guide to migrate all DCM configuration to another LPAR
https://www.ibm.com/support/pages/how-backupmigratereplicate-my-digital-certificate-management-dcm-environment
But what if your DCM with CA is only temporarily unusable and you only need to sign one server certificate with a CA certificate?
If you have access to CA keystore (you should have backups), then you've almost won.
All you need is the openssl package installed and the ikeyman program.
This is a simplified procedure :
1) from \QIBM\UserData\ICSS\Cert\CertAuth\DEFAULD.KDB export the appropriate certificate using the ikeyman program. The resulting file will be something like cacertkey.p12
2) create an ad hoc CA in some directory. You will need openssl-ca.cnf and index.txt files in there.
openssl-ca.cnf should contain something like this
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 365 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
default_days = 365 .... this parameter define how long the new certificate will last
then create index.txt file which contain latest certificate serial number (01 in this case)
touch index.txt
echo '01' > serial.txt
3) From cacertkey.p12 extract CA certificate :
openssl pkcs12 -in cacertkey.p12 -out cacert.pem -clcerts -nokeys4) From cacertkey.p12 extract private key :
openssl pkcs12 -in cacertkey.p12 -nocerts -out cakey.pem
5) In another DCM create CSR (Certificate Signing Request) and save it as servercert.csr
All the above files should be in the same directory. If not, you will need to specify the correct paths in the commands below.
6) You can then simply sign the CSR with a CA certificate using this command :
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
7) servercert.pem is the resulting CA-signed server certificate that you can import into DCM and, for example, assign to an application.
8) If you need convert server certificate do DER format :
openssl x509 -inform PEM -in servercert.pem -outform DER -out servercert.der