Requesting a personal certificate on UNIX, Linux, and Windows

You can request a personal certificate using the strmqikm GUI, or from the command line, subject to the following considerations:

• IBM® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.
• The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
• Not all digital certificates can be used with all CipherSpecs. Ensure that you request a certificate that is compatible with the CipherSpecs you need to use. IBM MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM MQ topic.
• To use the Type 1 CipherSpecs (with names beginning ECDHE_ECDSA_) you must use the runmqakm command to request the certificate and you must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384.

  See runmqckm and runmqakm options on UNIX, Linux, and Windows for a list of the options available with the -sig_alg hashing algorithm.

• Only the runmqakm command provides a FIPS-compliant option.
• If you are using cryptographic hardware, see Requesting a personal certificate for your PKCS #11 hardware.