Certificate Extended Key Usage (EKU)

IBM® MQ as a Service and Certificate Extended Key Usage (EKU).

For information about how IBM MQ handles certificate Extended Key Usage (EKU), see the IBM MQ EKU documentation.

IBM MQ as a Service queue managers at version 9.4.5r1 and later are configured with RFC5280EKUChecks=FALSE. When this setting is in effect, certificate EKU values are not checked. If you use a custom certificate and want EKU checking to be enforced, you can raise a support case to request that RFC5280EKUChecks=TRUE is set in the SSL stanza of the qm.ini file.

Certificates provided by IBM MQ as a Service do not include the ClientAuth EKU value. As a result, the default certificates are not suitable for use in mutual TLS (mTLS) client authentication when EKU checking is enforced.

If the default certificate is used in the following scenarios, connections can fail with an error similar to the following:
Extended key usage does not permit use for TLS client
        authentication: Check the full valid CA trust chain is available in the keyring
  • An IBM MQ as a Service queue manager uses mTLS to connect to a distributed queue manager at version 9.4.5.0 or later where EKU checking is enabled and RFC5280EKUChecks=FALSE is not set in the SSL stanza of the qm.ini file.
  • An IBM MQ as a Service queue manager uses mTLS to connect to a queue manager on z/OS.
  • An IBM MQ as a Service queue manager uses mTLS to connect to MQIPT where SSLClientAuth=true is configured.

The same considerations apply if you configure a custom certificate on the queue manager that does not include the ClientAuth EKU value.

Recommended action

Use a custom certificate that includes the ClientAuth EKU value when the certificate is to be used for mTLS client authentication in an environment where EKU checking is enforced.