Next-generation platform

Generating MQ certificates

You can generate IBM MQ certificates in Self Service, download the generated certificates, and import the certificates in your client application.

Before you begin

You must have the Developer role or the Organization Administrator role to generate an IBM MQ certificate.

About this task

Your old certificates that are generated before the November 2020 release continue to work in addition to the newly generated certificates. You must gradually migrate to new certificates. For more information, see Migrating MQ certificates.

A certificate is valid for one year. You can view the expiry date of the certificate under the Certificates tab. A notification alert is sent to the owner of the certificate for the certificates that are going to expire after a month. Alerts are sent even for certificates that are expiring after a week and after a day. When you receive a notification, you must generate a new certificate manually and use the new certificate. The Organization Administrator receives a summary of all the certificates that are going to expire in a month or in a week.
Note: Expired certificates are removed from the application and database after 90 days of expiration.
The following table lists the actions for the IBM MQ certificates that a user with the Developer and the Organization Administrator role can do.
Role Actions
Developer
  • Generate IBM MQ certificates.
  • View all IBM MQ certificates that are generated by the user themselves.
  • Download all IBM MQ certificates that are generated by the user themselves.
  • Apply changes after generating and revoking IBM MQ certificates..
Organization Administrator
  • View all IBM MQ certificates.
  • Generate IBM MQ certificates.
  • Download all IBM MQ certificates.
  • Revoke all IBM MQ certificates.
  • Apply changes after generating and revoking all IBM MQ certificates.

Procedure

To generate an IBM MQ certificate, complete the following steps.

  1. Access Self Service with your IBMid.
  2. From the Self Service menu, click Environments.
  3. From the list of environments, select an environment.
  4. In the Certificates tab, click Inbound.
  5. Select the certificate type as MQ certificates.
  6. Click Generate certificate.
  7. In the Add certificate page, enter the following details.
    • Certificate owner - If the certificate is for a person, enter their name or email address. If the certificate is for a device, enter an ID to identify the device. For example, enter the store name and a serial number for the device such as 'Store123-serial 456789'.
    • Integration platform - Enter the MQ server supply integration platform name. It can contain alphanumeric characters in uppercase and lowercase, a period, or a hyphen. It does not support spaces or any other special characters.
  8. Click Generate.

What to do next

Download the IBM MQ certificate and import it in your client to access the IBM MQ servers. For more information, see Downloading inbound certificates.

You must apply the generated IBM MQ certificate on your IBM MQ servers. To apply a certificate, select the certificate and click Apply changes. A user with Organization Administrator and Developer role can apply the changes.

In the Apply IBM MQ certificate page, select the date and time at which you want to start applying the certificates for your IBM MQ servers.
Note: If you select a date prior to the current date, the process to apply changes is started immediately.

When you apply the IBM MQ certificates on the IBM MQ servers, the SSL enabled channels are cycled and all IBM MQ clients need to reconnect. Therefore, you might want to schedule this action for a low volume period of the day to minimize the impact of connections being reestablished.

When the change is scheduled, you can view it as a process in the queue. The following two processes are run according to the schedule.
  1. The first process applies the new certificate to the truststore of IBM MQ.
  2. The second process refreshes the IBM MQ security and the channel bounces.