Troubleshooting: Duplicate certificate labels cause CTGSK3029W errors in updateLocaCerts.sh

Duplicate certificates with multiple label references cause error CTGSK3029W.

Problem

gskcapicmd_64 version 8.0.55.11 included in IBM HTTP Server 9.0.5.2 that is bundled in HCL Commerce 9.0.1.10 requires that .p12 files have unique keys in them. If the same key being referenced by the label parameter exists in the .p12 file under another label as well, failures can occur while running the /SETUP/bin/updateLocaCerts.sh script .

Two examples of these errors are as follows:

  • #Line77:
    gsk8capicmd_64 -cert -import -db ${WORKDIR}/${certname}-key.p12 -pw ${KEYSTORE_PASS} -type pkcs12 -target ${DEST}/keyfile.kdb -target_type cms -label default -target_stashed
    
    #error
    CTGSK3029W The database does not contain a certificate with label "default"
  • #Line 80:
    gsk8capicmd_64 -cert -import -db ${WORKDIR}/${certname}-trust.p12 -pw ibmkey -type pkcs12 -label "server-ca" -target ${DEST}/keyfile.kdb
    
    #error
    CTGSK3029W The database does not contain a certificate with label "server-ca"

Solution

This is not a gskcapicmd_64 command defect. This issue is caused by an update to not allow for duplicate alias names in the CMS key database file.

If you encounter this issue, review the keys present in your .p12 file and delete any key being added more than once with different labels.