[Technote] A certificate with the same label has already existed in the key database message for GSK7CMD and ikeycmd

A certificate with the same label has already existed in the key database message for GSK7CMD and ikeycmd

Problem(Abstract)

Your GSKit Command Line tools do not always return a comprehensive error message that identifies the root cause of the problem directly. For example, even though there is no certificate for a given label, you may still receive the following message: "A certificate with the same label has already existed in the key database."

Symptom

For instance, if you create a certificate request for a newly created keystore, like:

C:\Program Files\ibm\gsk7\bin>gsk7cmd -certreq -create -db newkey.kdb -label "my
certificate request" -dn "cn=myserver.domain.com,o=company,ou=department,l=city
,st=state,c=country" -size 1024 -file mycertreq.csr

You may receive the error message:
"A certificate with the same label has already existed in the key database."

But as the keystore is new, no personal certificates or certificate requests exist in the keystore.

Despite of this error, the CSR file with a valid request is created. But when you try to receive the certificate later on, this will end up in another error:

"An error occurred while receiving the certificate from the given file. The certificate request created for the certificate is not in the key database."

If you try to list the certificates in a keystore with
C:\Program Files\ibm\gsk7\bin>gsk7cmd -cert -list -db newkey.kdb
you will receive the following error even though keys may exist:

"No key was found in the key database."

Cause

You need to specify the password of the keystore for any operation.

When the certificate request is created, the CSR file is generated, but the request is not entered into the keystore KDB, because the gsk7cmd -certreq command lacks the password for the keystore.

So the message "a certificate with the same label exists" is incorrect and misleading. In fact, gsk7cmd cannot even open the keystore, because the user did not specify the keystore's password.

The same applies for the -cert -list command.

Try "gsk7cmd -cert -list -db newkey.kdb -pw <password>" and the certificates will be listed.

Resolving the problem

Add the option "-pw <password>" to the command line.

Even if a stash file is present for the given keystore, this will not allow gsk7cmd to open the keystore