Upgrading TLS credentials

If you have TLS credentials on disk that are not yet added to TLS Credentials documents, you can use the certstore.nsf database to import them so that they can be used by CertMgr.

Before you begin

Complete the following prerequisite tasks:


  1. From one of the TSL CREDENTIALS views in certstore.nsf, click Add TLS Credentials.
  2. In the document that opens, click Import TLS Credentials.
  3. In the Action field, select one of the following options:
    • Import TLS credentials only - Not exportable. Select this option to add the credentials to the document but not allow them to be exported to a file.
    • Import TLS credentials - exportable Select this option to add the credentials to the document and also allow them to be exported to a file.
  4. In the Format field, select one of the following encryption formats:
    • PKCS12 - Binary encoded X.509 (P12/PFX)
    • Base64 encoded X.509 (PEM, AES256 encrypted)
    • KYR - Legacy keyring format
  5. In the File name field, select the file containing the certificates to import.
  6. In the Current password field, provide the current password for the specified file if required.
  7. In the New password and Verify password fields, provide a new password. A new password is required if you selected Import TLS credentials - exportable in Step 3. Otherwise, it's optional.
  8. Click OK.
  9. For X.509 certificate-based client authentication, import the root and intermediate certificates that were used to create the client certificates into certstore.nsf. Fore more information, see Adding trusted root certificates.


The credentials are imported and can be seen in the Security/Keys tab of the TLS Credentials document and are ready for use. If you chose the option Import TLS credentials - exportable, the Export TLS Credentials button is available to export them to a file.