Adding an Additional Root CA Certificate to an Existing KDB Using Ikeyman for Expedite

Adding an additional root CA certificate to an existing KDB using ikeyman for Expedite Base for AIX users.

This process uses the Ikeyman application packaged with Expedite for Base Windows to edit the KDB file as detailed below. Expedite Base for Windows can be found here:

https://www.gxsolc.com/public/EDI/us/support/Downloads/downloads_index.html

It is not compatible with Windows versions above Windows XP or Windows Server 2003.

Select this file: Expbase472.exe and click the submit button at the bottom. Install the application, taking care not to close any windows. Allow the command prompt windows to close themselves automatically. Once the application is installed open Start - Programs – Expedite base for Windows – Ikeyman Setup File to complete the process. After these steps are complete open Start - Programs – Expedite base for Windows – Ikeyman to start Ikeyman.

This document assumes you are an existing Expedite Base for Windows SSL user and already followed the process to obtain and install a new certificate after April 9th, 2011. This process will add the old root CA to the new KDB file. This is needed is allow to prevent connectivity disruptions during the transition to the new root CA certificate. The goal is to edit the KDB so that it contains both the old and new CA root certificates. We want the new client certificate, the new root CA and the old root CA to co-exist in the key database until July 9, then the new root CA will be the only one used.

1. Convert pkcs12 file to kdb following the process here.
2. In Ikeyman, select Key Database File – Open from the menu. Select CMS for Key database type and locate your kdb file

1. Select Signer Certificates from drop down box

1. You should see only one certificate authority, which is the new one

1. Now click Add, and select Binary DER data as data type and locate the old root CA on your computer. A copy of the old root CA is available on PKI website.

Production URL - (https://pki.tradinggrid.com/certstore/trustedca_0.cacert )

1. Click OK and enter label for certificate

1. Now you should see both old and new root ca as signer certificates

1. Select Key Database File – exit from the ikeyman