[AIX, Linux, Windows]

Receiving a personal certificate into your PKCS #11 hardware

Use this procedure to receive a personal certificate for either a queue manager or an IBM® MQ MQI client to your cryptographic hardware.

Add the CA certificate of the CA that signed the personal certificate into either the cryptographic hardware or the secondary key repository. Do this before you receive the signed certificate into the cryptographic hardware. To add a CA certificate to a key repository file, follow the procedure in Adding a CA certificate, or the public part of a trusted certificate, into a key repository on AIX, Linux, and Windows.

Issue the following command to add a personal certificate to a key repository with the runmqakm (GSKCapiCmd) command:
runmqakm -cert -receive -file filename -crypto module_name
         -tokenlabel hardware_token -pw hardware_password
         -format cert_format -fips
         -secondaryDB filename -secondaryDBpw password
where:
-file filename
Specifies the fully qualified file name of the file containing the personal certificate.
-crypto module_name
Specifies the fully qualified name of the PKCS #11 library supplied with the cryptographic hardware.
-tokenlabel hardware_token
Specifies the PKCS #11 cryptographic device token label.
-pw hardware_password
Specifies the password to access the cryptographic hardware.
-format cert_format
Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for binary DER data. The default is ASCII.
-fips
Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-secondaryDB filename
Specifies the fully qualified file name of the key repository file that is used to store the CA certificate.
-secondaryDBpw password
Specifies the password for the key repository file that is used to store the CA certificate.