[AIX, Linux, Windows]

Commands for CMS or PKCS #12 key databases on AIX®, Linux®, and Windows

Use the runmqckm and runmqakm commands to manage keys and certificates for a CMS key database or PKCS #12 key database.

Note: IBM® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

-keydb -changepw
Change the password for a key database:

Using the runmqckm command: 

-keydb -changepw -db filename -pw password -new_pw new_password -expire days

Using the runmqakm command: 

-keydb -changepw -db filename -pw password -new_pw new_password -expire days
-fips -strong
-keydb -convert
For the runmqckm command, convert the key database from one format to another: 
-keydb -convert -db filename -pw password
-old_format cms | pkcs12 -new_format cms

Using the runmqakm command, convert an old version CMS key database to the new version CMS key database: 

-keydb -convert -db filename -pw password
-new_db filename -new_pw password -strong -fips
-keydb -create
Create a key database:

Using the runmqckm command: 

-keydb -create -db filename -pw password -type cms
| pkcs12

Using the runmqakm command: 

-keydb -create -db filename -pw password -type cms
-fips -strong
-keydb -delete
Delete a key database:

Using either command: 

-keydb -delete -db filename -pw password
-keydb -list
List currently-supported types of key database:

Using the runmqckm command: 

-keydb -list

Using the runmqakm command: 

-keydb -list -fips
-cert -add
Add a certificate from a file into a key database:

Using the runmqckm command: 

-cert -add -db filename -pw password -label label -file filename
-format ascii | binary

Using the runmqakm command: 

-cert -add -db filename -pw password -label label -file filename
-format ascii | binary -fips
-cert -create
Create a self-signed certificate:

Using the runmqckm command: 

-cert -create -db filename -pw password -label label 
-dn distinguished_name -size 1024 | 512 -x509version 3 | 1 | 2
-expire days -sig_alg MD2_WITH_RSA | MD2WithRSA |
MD5_WITH_RSA | MD5WithRSA |
SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

Using the runmqakm command: 

-cert -create -db filename -pw password -label label
-dn distinguished_name -size 2048 | 1024 | 512 -x509version 3 | 1 | 2 
-expire days -fips -sig_alg md5 | 
MD5_WITH_RSA | SHA_WITH_DSA |
SHA_WITH_RSA | sha1 | 
SHA1WithDSA | SHA1WithECDSA | 
SHA1WithRSA | sha224 |
SHA224_WITH_RSA | SHA224WithDSA |
SHA224WithECDSA | SHA224WithRSA |
sha256 | SHA256_WITH_RSA |
SHA256WithDSA | SHA256WithECDSA |
SHA256WithRSA | SHA2WithRSA |
sha384 | SHA384_WITH_RSA |
SHA384WithECDSA | SHA384WithRSA |
sha512 | SHA512_WITH_RSA |
SHA512WithECDSA | SHA512WithRSA |
SHAWithDSA | SHAWithRSA |
EC_ecdsa_with_SHA1 | EC_ecdsa_with_SHA224 | 
EC_ecdsa_with_SHA256 | EC_ecdsa_with_SHA384 | 
EC_ecdsa_with_SHA512
-cert -delete
Delete a certificate:

Using the runmqckm command: 

-cert -delete -db filename -pw password -label label

Using the runmqakm command: 

-cert -delete -db filename -pw password -label label -fips
-cert -details
List the detailed information for a specific certificate:

Using the runmqckm command: 

-cert -details -db filename -pw password -label label

Using the runmqakm command: 

-cert -details -db filename -pw password -label label -fips
-cert -export
Export a personal certificate and its associated private key from a key database into a PKCS #12 file, or to another key database:

Using the runmqckm command: 

-cert -export -db filename -pw password -label label -type cms | pkcs12
-target filename -target_pw password -target_type  cms | pkcs12

Using the runmqakm command: 

-cert -export -db filename -pw password -label label -type cms | pkcs12
-target filename -target_pw password -target_type  cms | pkcs12
-encryption strong | weak -fips
-cert -extract
Extract a certificate from a key database:

Using the runmqckm command: 

-cert -extract -db filename -pw password -label label -target filename
-format ascii | binary

Using the runmqakm command: 

-cert -extract -db filename -pw password -label label -target filename
-format ascii | binary -fips
-cert -import
Import a personal certificate from a key database:

Using the runmqckm command: 

-cert -import -file filename -pw password -type pkcs12 -target filename
-target_pw password -target_type cms -label  label

Using the runmqakm command: 

-cert -import -file filename -pw password -type cms -target filename
-target_pw password -target_type cms -label  label -fips
For both these commands:
  • The -label option is required and specifies the label of the certificate that is to be imported from the source key database.
  • Additionally, you can use the -new_label option. This allows the imported certificate to be given a different label in the target key database from the label in the source database.
-cert -list
List all certificates in a key database:

Using the runmqckm command: 

-cert -list all | personal | CA -db filename -pw password

Using the runmqakm command: 

-cert -list all | personal | CA -db filename -pw password -fips
-cert -receive
Receive a certificate from a file:

Using the runmqckm command: 

-cert -receive -file filename -db filename -pw password
-format ascii | binary -default_cert yes | no

Using the runmqakm command: 

-cert -receive -file filename -db filename -pw password
-format ascii | binary -default_cert yes | no -fips
-cert -sign
Sign a certificate:

Using the runmqckm command: 

-cert -sign -db filename -file filename -pw password
-label label -target filename -format ascii | binary -expire days
-sig_alg MD2_WITH_RSA | MD2WithRSA | MD5_WITH_RSA |
MD5WithRSA | SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

Using the runmqakm command: 

-cert -sign -db filename -file filename -pw password
-label label -target filename -format ascii | binary -expire days -fips
-sig_alg md5 | MD5_WITH_RSA | SHA_WITH_DSA |
SHA_WITH_RSA | sha1 | SHA1WithDSA |
SHA1WithECDSA | SHA1WithRSA | sha224 |
SHA224_WITH_RSA | SHA224WithDSA |
SHA224WithECDSA | SHA224WithRSA | sha256 |
SHA256_WITH_RSA | SHA256WithDSA |
SHA256WithECDSA | SHA256WithRSA |
SHA2WithRSA | sha384 | SHA384_WITH_RSA |
SHA384WithECDSA | SHA384WithRSA |
sha512 | SHA512_WITH_RSA |
SHA512WithECDSA | SHA512WithRSA |
SHAWithDSA | SHAWithRSA |
EC_ecdsa_with_SHA1 | EC_ecdsa_with_SHA224 |
EC_ecdsa_with_SHA256 | EC_ecdsa_with_SHA384 |
EC_ecdsa_with_SHA512
-certreq -create
Create a certificate request:

Using the runmqckm command: 

-certreq -create -db filename -pw password -label label -dn distinguished_name
-size 1024 | 512 -file filename
-sig_alg MD2_WITH_RSA | MD2WithRSA |
MD5_WITH_RSA | MD5WithRSA |
SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

Using the runmqakm command: 

-certreq -create -db filename -pw password -label label -dn distinguished_name
-size 2048 | 1024 | 512 -file filename -fips
-sig_alg md5 | MD5_WITH_RSA | SHA_WITH_DSA |
SHA_WITH_RSA | sha1 | SHA1WithDSA |
SHA1WithECDSA | SHA1WithRSA | sha224 |
SHA224_WITH_RSA | SHA224WithDSA |
SHA224WithECDSA | SHA224WithRSA | sha256 |
SHA256_WITH_RSA | SHA256WithDSA |
SHA256WithECDSA | SHA256WithRSA |
SHA2WithRSA | sha384 | SHA384_WITH_RSA |
SHA384WithECDSA | SHA384WithRSA |
sha512 | SHA512_WITH_RSA |
SHA512WithECDSA | SHA512WithRSA |
SHAWithDSA | SHAWithRSA |
EC_ecdsa_with_SHA1 | EC_ecdsa_with_SHA224 |
EC_ecdsa_with_SHA256 | EC_ecdsa_with_SHA384 |
EC_ecdsa_with_SHA512
-certreq -delete
Delete a certificate request:

Using the runmqckm command: 

-certreq -delete -db filename -pw password -label  label

Using the runmqakm command: 

-certreq -delete -db filename -pw password -label  label -fips
-certreq -details
List the detailed information of a specific certificate request:

Using the runmqckm command: 

-certreq -details -db filename -pw password -label  label

Using the runmqakm command: 

-certreq -details -db filename -pw password -label  label -fips

List the detailed information about a certificate request and show the full certificate request:

Using the runmqckm command: 

-certreq -details -showOID -db filename -pw password -label label

Using the runmqakm command: 

-certreq -details -showOID -db filename -pw password -label label -fips
-certreq -extract
Extract a certificate request from a certificate request database into a file:

For the runmqckm command: 

-certreq -extract -db filename -pw password -label label -target filename

Using the runmqakm command: 

-certreq -extract -db filename -pw password -label label -target filename -fips
-certreq -list
List all certificate requests in the certificate request database:

Using the runmqckm command: 

-certreq -list -db filename -pw password

Using the runmqakm command: 

-certreq -list -db filename -pw password -fips
-certreq -recreate
Re-create a certificate request:

Using the runmqckm command: 

-certreq -recreate -db filename -pw password -label label -target filename

Using the runmqakm command: 

-certreq -recreate -db filename -pw password -label label -target filename -fips