Creating a self-signed personal certificate on UNIX, Linux, and Windows systems

You can create a self-signed certificate by using iKeyman, iKeycmd, or runmqakm.

Note: IBM® WebSphere® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

For more information about why you might want to use self-signed certificates, see Using self-signed certificates for mutual authentication of two queue managers.

Not all digital certificates can be used with all CipherSpecs. Ensure that you create a certificate that is compatible with the CipherSpecs you need to use. WebSphere MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM WebSphere MQ topic. To use the Type 1 CipherSpecs (those with names beginning ECDHE_ECDSA_) you must use the runmqakm command to create the certificate and you must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384 .

Using iKeyman

iKeyman does not provide a FIPS-compliant option. If you need to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

Use the following procedure to obtain a self-signed certificate for your queue manager or WebSphere MQ MQI client:
  1. Start the iKeyman GUI by using the strmqikm command .
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file in which you want to save the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
  8. From the Create menu, click New Self-Signed Certificate. The Create New Self-Signed Certificate window is displayed.
  9. In the Key Label field, type:
    • For a queue manager, ibmwebspheremq followed by the name of your queue manager folded to lowercase. For example, for QM1, ibmwebspheremqqm1, or,
    • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID folded to lowercase, for example ibmwebspheremqmyuserid .
  10. Type or select a value for any field in the Distinguished name, or any of the Subject alternative name fields.
  11. For the remaining fields, either accept the default values, or type or select new values. For more information about Distinguished Names, see Distinguished Names.
  12. Click OK. The Personal Certificates list shows the label of the self-signed personal certificate you created.

Using the command line

Use the following commands to create a self-signed personal certificate by using iKeycmd or runmqakm:
  • Using iKeycmd on UNIX, Linux® and Windows systems: 
    
runmqckm -cert -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -x509version version -expire days
 -sig_alg algorithm

    Instead of -dn distinguished_name , you can use -san_dsname DNS_names , -san_emailaddr email_addresses , or -san_ipaddr IP_addresses .

  • Using runmqakm: 
    
runmqakm -cert -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -x509version version -expire days
 
        -fips -sig_alg algorithm