createcert (create certificate)

Create a self-signed certificate for a queue manager.

Purpose

You can use the createcert command to create a self-signed certificate and add it to the key repository of a specified queue manager. The certificate data is extracted from the newly created certificate and placed in a file.

Syntax

Read syntax diagramSkip visual syntax diagram createcert -m QMgrName -dn DistinguishedName -labelLabel-sig_algHashAlgorithm-size KeySize-expireDays-formatascii|binary-ku Usage-eku Usage-san_dnsname DNSNames-san_ipaddrIPAddresses

Parameters

-m QMgrName
Specifies the name of the queue manager for which the self-signed certificate is created.
The queue manager must exist.
-dn DistinguishedName
Specifies the X.500 distinguished name that uniquely identifies the certificate.
DistinguishedName is a string that is enclosed in double quotation marks. For example, CN=John Smith,O=IBM,OU=Test,C=GB. The CN, O, and C attributes are required.
-label Label
Specifies the label that is associated with the certificate.
The default value is ibmwebspheremqQMgrName, where QMgrName is the name of the queue manager in lowercase.
-sig_alg HashAlgorithm
Specifies the signing algorithm that is used to create the signature that is associated with the new self-signed certificate.
HashAlgorithm can be one of the following values:

md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA22WithRSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithRSA, SHA256WithECDSA, SHA256WithRSA, , sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA , EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512.

sha3_256, SHA3_256WithRSA, sha3_384, SHA3_384WithRSA, sha3_512, SHA3_512WithRSA, SHA3_256WithRSASSAPSS, SHA3_384WithRSASSAPSS, SHA3_512WithRSASSAPSS, SHA3_256WithECDSA, SHA3_384WithECDSA, SHA3_512WithECDSA, RSASSAPSS, SHA256WithRSASSAPSS, SHA384WithRSASSAPSS, SHA512WithRSASSAPSS.

The default value is SHA256WithRSA.
-size KeySize
Specifies the size of the new key pair.
The default value is 2048 for all RSA signature algorithms. For elliptic curve signature algorithms, use 256, 384, or 512 to match the selected algorithm.
-expire Days
Specifies the expiration time of the certificate, in days.
The default value is 365.
-format ascii|binary
Specifies the format of the output file.
The default value is ascii.
-ku Usage
Specifies a list of valid uses for the certificate.
To specify more than one use, enter each value in a comma-separated list.
-eku Usage
Specifies a list of valid uses for the certificate.
To specify more than one use, enter each value in a comma-separated list.
-san_dnsname DNSNames
Specifies the Subject Alternative Name (SAN) DNS names for the certificate that is created.
To specify more than one DNS name, enter each value in a comma-separated list.
-san_ipaddr IPAddresses
Specifies the Subject Alternative Name (SAN) IP addresses for the certificate that is created.
To specify more than one IP address, enter each value in a comma-separated list.

Usage notes

  • This command must be run from the IBM® MQ administration mode. If the system is in the IBM MQ administration mode the prompt includes mq. To enter the IBM MQ administration mode, enter mqcli on the command line. To exit the IBM MQ administration mode, enter exit on the command line.
  • The target file name is generated based on the label that is specified in the command. The file name is displayed when the command completes.

Examples

  • The following command creates a certificate for queue manager QM1, with a distinguished name of CN=John Smith,O=IBM,OU=Test,C=GB: 
    createcert -m QM1 -dn "CN=John Smith,O=IBM,OU=Test,C=GB"

Related commands