Receiving a personal certificate into your PKCS #11 hardware
Use this procedure to receive a personal certificate for either a queue manager or an IBM® MQ MQI client to your cryptographic hardware.
Add the CA certificate of the CA that signed the personal certificate into either the cryptographic hardware or the secondary key repository. Do this before you receive the signed certificate into the cryptographic hardware. To add a CA certificate to a key repository file, follow the procedure in Adding a CA certificate, or the public part of a trusted certificate, into a key repository on AIX, Linux, and Windows.
Issue the following command to add a personal certificate to a key repository with the
runmqakm (GSKCapiCmd)
command:
runmqakm -cert -receive -file filename -crypto module_name
-tokenlabel hardware_token -pw hardware_password
-format cert_format -fips
-secondaryDB filename -secondaryDBpw password
where: - -file filename
- Specifies the fully qualified file name of the file containing the personal certificate.
- -crypto module_name
- Specifies the fully qualified name of the PKCS #11 library supplied with the cryptographic hardware.
- -tokenlabel hardware_token
- Specifies the PKCS #11 cryptographic device token label.
- -pw hardware_password
- Specifies the password to access the cryptographic hardware.
- -format cert_format
- Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for binary DER data. The default is ASCII.
- -fips
- Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
- -secondaryDB filename
- Specifies the fully qualified file name of the key repository file that is used to store the CA certificate.
- -secondaryDBpw password
- Specifies the password for the key repository file that is used to store the CA certificate.