Using the command line
You can request a personal certificate from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. If you need to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.
Procedure
Request a personal certificate by using either the runmqckm or
runmqakm (GSKCapiCmd) command.
- Using runmqckm:
runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size -file filename -sig_alg algorithm
Instead of
-dn distinguished_name
, you can use-san_dsname DNS_names
,-san_emailaddr email_addresses
, or-san_ipaddr IP_addresses
. - Using runmqakm:
runmqakm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size -file filename -fips -sig_alg algorithm
- -db filename
- Specifies the fully qualified file name of a CMS key database.
- -pw password
- Specifies the password for the CMS key database.
- -label label
- Specifies the key label attached to the certificate. The label is either the value of the
CERTLABL attribute, if it is set, or the default
ibmwebspheremq
with the name of the queue manager or the IBM® MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels, understanding the requirements for details. - -dn distinguished_name
- Specifies the X.500 distinguished name enclosed in double quotation marks. At least one
attribute is required. You can supply multiple OU and DC attributes. Note: The runmqckm and runmqakm tools refer to the postal code attribute as POSTALCODE, not PC. Always specify POSTALCODE in the -dn parameter when you use these certificate management commands to request certificates with a postal code.
- -size key_size
- Specifies the key size. If you are using runmqckm, the value can be 512 or 1024. If you are using runmqakm, the value can be 512, 1024, or 2048.
- -file filename
- Specifies the file name for the certificate request.
- -fips
- Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
- -sig_alg
- For runmqckm, specifies the asymmetric signature algorithm used for the creation of the entry's key pair. The value can be, MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, SHA2/ECDSA, SHA224WithECDSA, SHA256_WITH_RSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithECDSA, SHA3/ECDSA, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, SHA3WithECDSA, SHA5/ECDSA, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHA5WithECDSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, SHAWithRSA. The default value is SHA1WithRSA.
- -sig_alg
- For runmqakm, specifies the hashing algorithm used during the creation of a certificate request. This hashing algorithm is used to create the signature associated with the newly created certificate request. The value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.
- -san_dnsname DNS_names
- Specifies a comma-delimited or space-delimited list of DNS names for the entry being created.
- -san_emailaddr email_addresses
- Specifies a comma-delimited or space-delimited list of email addresses for the entry being created.
- -san_ipaddr IP_addresses
- Specifies a comma-delimited or space-delimited list of IP addresses for the entry being created.
What to do next
Submit a certificate request to a CA. See Receiving personal certificates into a key repository on UNIX, Linux, and Windows for further information.