[IBM i]

Requesting a server certificate for a remote system on IBM i

Follow this procedure to create a certificate signed by your local certificate authority (CA), or to apply for a server certificate signed by a commercial CA for import into a key repository on other platforms.

About this task

A user certificate must be used when the Digital Certificate Manager (DCM) serves as the certificate manager for IBM® MQ on multiple platforms. For personal certificates that are distributed to other platforms and imported into a key repository, perform the following steps in a web browser:

Procedure

  1. Access the DCM interface, as described in Accessing DCM.
  2. In the navigation pane, click Create Certificate.
    The Create Certificate page is displayed in the task frame.
  3. On the Create Certificate panel, select the User certificate radio button and click Continue.
    The Create User Certificate page is displayed.
  4. On the Create User Certificate panel, complete the required fields under Certificate Information for Organization name, State or province, Country or region. Optionally, put values in the Organization unit and Locality or city fields. Click Continue.
    The Common name is automatically set to the user ID with which you are logged on to the iSeries system.
  5. On the next Create User Certificate panel, click Install certificate and click Continue.
    A message is displayed stating, Your personal certificate has been installed. You should keep a backup copy of this certificate.
  6. Click OK.
  7. Depending on the web browser that you used to access DCM, complete one of the following steps:
    • For Microsoft Edge choose: Tools>Internet Options>Content tab>Certificates button>Personal tab>. Select the certificate and click Export.
    • For Mozilla Firefox choose: Tools>Options>Advanced>Encryption tab>View Certificates button>Your Certificates tab>. Select the certificate and click Backup. Select the path and filename and click OK.
  8. Transfer the exported certificate to the remote system using FTP in binary format.
  9. Import the certificate that was exported in step 7 to the key repository on the remote system.
    During the import, ensure that the label name of the personal certificate and the signer certificate are changed to the value that IBM MQ expects. The label must be either the value of the IBM MQ queue manager CERTLABL attribute, if it is set, or the default value of ibmwebspheremq with the name of the queue manager appended, all in lowercase. For more information, see Digital certificate labels.