Creating a self-signed PKI using OpenSSL

IBM® MQ allows you to use mutual TLS for authentication, where both ends of a connection supply a certificate, and details in the certificate are used to establish an identity with the queue manager. This topic presents how to create an example Public Key Infrastructure (PKI) using the OpenSSL command line tool, creating two certificates which can be used in other examples.

1. Create a private key to use for your internal certificate authority

   openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out ca.key

   A private key for the internal certificate authority is created in a file called ca.key. This file should be kept safe and secret — it will be used to sign certificates for your internal certificate authority.
2. Issue a self-signed certificate for your internal certificate authority

   openssl req -x509 -new -nodes -key ca.key -sha512 -days 30 -subj "/CN=example-selfsigned-ca" -out ca.crt

   The -days specifies the number of days that the root CA certificate will be valid.
   A certificate is created in a file called ca.crt. This certificate contains the public information about the internal certificate authority, and is freely shareable.
3. Create a private key and certificate for a queue manager
   1. Create a private key and certificate signing request for a queue manager

      openssl req -new -nodes -out example-qm.csr -newkey rsa:4096 -keyout example-qm.key -subj '/CN=example-qm'

      A private key is created in a file called example-qm.key, and a certificate signing request is created in a file called example-qm.csr
   2. Sign the queue manager key with your internal certificate authority

      openssl x509 -req -in example-qm.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example-qm.crt -days 7 -sha512

      The -days specifies the number of days that the certificate will be valid.
      A signed certificate is created in a file called example-qm.crt
   3. Create a Kubernetes secret with the queue manager key and certificate

      kubectl create secret generic example-qm-tls --type="kubernetes.io/tls" --from-file=tls.key=example-qm.key --from-file=tls.crt=example-qm.crt --from-file=ca.crt

      A Kubernetes secret called example-qm-tls is created. This secret contains the private key for the queue manager, the public certificate, and the CA certificate.
4. Create a private key and certificate for an application
   1. Create a private key and certificate signing request for an application

      openssl req -new -nodes -out example-app1.csr -newkey rsa:4096 -keyout example-app1.key -subj '/CN=example-app1'

      A private key is created in a file called example-app1.key, and a certificate signing request is created in a file called example-app1.csr
   2. Sign the queue manager key with your internal certificate authority

      openssl x509 -req -in example-app1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example-app1.crt -days 7 -sha512

      The -days specifies the number of days that the certificate will be valid.
      A signed certificate is created in a file called example-app1.crt
   3. Create a PKCS#12 key store with the application's key and certificate
      IBM MQ uses a key database, and not individual key files. The containerized queue manager will create the key database for the queue manager from a Secret, but for clients applications, you need to manually create the key database.

      openssl pkcs12 -export -in "example-app1.crt" -name "example-app1" -certfile "ca.crt" -inkey "example-app1.key" -out "example-app1.p12" -passout pass:PASSWORD

      Where PASSWORD is a password of your own choosing.
      A key store is created in a file called example-app1.p12. The application's key and certificate is stored inside, with a "label" or "friendly name" of "example-app1", as well as the CA certificate.
   4. If you are using an arm64 Apple Mac, then you need to configure an additional file combining the application and CA certificates.
      For example:

      cat example-app1.crt ca.crt > example-app1-chain.crt