In this scenario, you can create a self-signed
certificate which you can use for testing MQIPT routes. This certificate can be
used by an MQIPT route to identify
itself to a remote peer.
Self-signed certificates can be useful in test scenarios where you must ensure TLS connectivity
without paying a Certificate Authority (CA) for a certificate. However, you should not use
self-signed certificates in production environments. If you need certificates for production usage,
see Creating a key ring file.
About this task
You can either use the mqiptkeycmd (iKeyman) command-line interface (CLI) or
the mqiptkeyman GUI to request the certificate. You should then specify the key
ring file that contains the certificate in the SSLServerKeyRing or
SSLClientKeyRing
MQIPT route property, depending on whether the
certificate is for use by inbound or outbound connections.
Procedure
Use one of the following methods to create test certificates:
- Use the command-line interface (CLI)
- Enter the following command to create a new PKCS #12 key ring file:
mqiptKeycmd -keydb -create -db server_name.pfx -pw password -type pkcs12
where:
- -db specifies the name of the key ring file
(server_name.pfx).
- -pw specifies the key ring password (password) that you
must later encrypt using the mqiptPW utility.
- Enter the following command to create a self-signed personal certificate for testing
purposes:
mqiptKeycmd -cert -create -db server_name.pfx -pw password -type pkcs12
-label label -dn DN_identity
-sig_alg signature_algorithm -size key_size
where:
- -label specifies a unique name of your choice; it is preferable not to
include space characters.
- -dn specifies the appropriate Distinguished Name identity for the MQIPT route; for example, "CN=Test
Certificate,OU=Sales,O=Example,C=US".
- -sig_alg specifies the hash algorithm; for example,
SHA256WithRSA.
- -size specifies the size of the public key; for example,
2048.
If you use the example values given, this command creates a digital certificate with a
2048-bit RSA public key and a digital signature that uses RSA with the SHA-256 hash algorithm.
When creating a certificate, take care to choose an appropriate public key encryption algorithm,
key size, and digital signature algorithm for your organization's security needs. See Digital certificate considerations for
MQIPT for more information.
- Use the GUI
- Open the GUI by running the following command:
- Click .
- Select the type of the key database; for example, PKCS12.
- Enter the file name and location for the new key ring file.
Click
OK.
- Enter a password for the new key ring file.
Enter the password a second
time to confirm. This is the key ring password that you must later encrypt using the
mqiptPW utility. Click OK to create the new
personal-certificate key ring file.
- Create the new self-signed personal certificate by clicking .
- Enter a label for the new certificate in the Key Label
field.
The label can be any unique name you choose; it is preferable not to include space
characters.
- Select the key size and digital signature algorithm as appropriate for your
organization's security needs.
- Enter the appropriate Distinguished Name identity for the MQIPT route in the optional DN fields, then click
OK.
What to do next
Encrypt the key ring passwords by issuing the following
command:
mqiptPW
Enter the key ring password to encrypt when prompted. Set the
value of the appropriate property in the
mqipt.conf configuration file to the
encrypted password that is output by the
mqiptPW command; for example,
SSLServerKeyRingPW or
SSLClientKeyRingPW, depending on
whether the certificate is for use by inbound or outbound connections. For more information about
encrypting key ring passwords, see
Encrypting stored passwords to encrypt the key ring passwords.