[AIX, Linux, Windows]

Adding default CA certificates into an empty key repository on AIX, Linux, and Windows with GSKit 8.0

Follow this procedure to add one or more of the default CA certificates to an empty key repository with GSKit 8.0.

In GSKit 7.0, the behavior when creating a new key repository was to automatically add in a set of default CA certificates for commonly-used Certificate Authorities. For GSKit 8.0, this behavior has changed so that CA certificates are no longer automatically added to the repository. The user is now required to manually add CA certificates into the key repository.

Using strmqikm

Perform the following steps on the machine on which you want to add the CA certificate:

  1. Start the GUI using the strmqikm command (on AIX®, Linux®, and Windows).
  2. From the Key Database File menu, click Open. The Open window opens.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which you want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window opens.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Signer Certificates.
  9. Click Populate. The Add CA's Certificate window opens.
  10. The CA certificates that are available to be added to the repository are displayed in a hierarchical tree structure. Select the top level entry for the organization whose CA certificates you want to trust to view the complete list of valid CA certificates.
  11. Select the CA certificates you want to trust from the list and click OK. The certificates are added to the key repository.

Using the command line

Use the following commands to list, then add CA certificates using runmqckm:
  • Issue the following command to list the default CA certificates along with the organizations which issue them:
    runmqckm -cert -listsigners
  • Issue the following command to add all of the CA certificates for the organization specified in the label field:
    runmqckm -cert -populate -db filename -pw password -label label
Note: Adding a CA certificate to a key repository results in IBM® MQ trusting all personal certificates signed by that CA certificate. Consider carefully which Certificate Authorities you want to trust and only add the set of CA certificates needed to authenticate your clients and managers. It is not recommended to add the full set of default CA certificates unless this is a definitive requirement for your security policy.