Creating a self-signed personal certificate on UNIX, Linux, and Windows
You can create a self-signed certificate by using the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd).
The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
For more information about why you might want to use self-signed certificates, see Using self-signed certificates for mutual authentication of two queue managers.
Not all digital certificates can be used with all CipherSpecs. Ensure that you create a certificate that is compatible with the CipherSpecs you need to use. IBM MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM MQ topic.
To use the Type 1 CipherSpecs (those with names beginning ECDHE_ECDSA_
) you must
use the runmqakm command to create the certificate and you must specify an
Elliptic Curve ECDSA signature algorithm parameter; for example,
-sig_alg EC_ecdsa_with_SHA384
.
See runmqckm and runmqakm options on UNIX, Linux, and Windows for a list of the options available with the -sig_alg hashing algorithm.
- GUI, see Using the strmqikm user interface
- Command line, see Using the command line