createcertrequest (create certificate request)

Create a certificate request for a queue manager.

Purpose

You can use the createcertrequest command to create a certificate request for a specified queue manager.

Syntax

Read syntax diagramSkip visual syntax diagram createcertrequest -m QMgrName -dn DistinguishedName -labelLabel-sig_algHashAlgorithm-size KeySize-ku Usage-eku Usage-san_dnsname DNSNames-san_ipaddrIPAddresses

Parameters

-m QMgrName
Specifies the name of the queue manager for which the certificate request is created.
The queue manager must exist.
-dn DistinguishedName
Specifies the X.500 distinguished name that uniquely identifies the certificate.
DistinguishedName is a string that is enclosed in double quotation marks. For example, CN=John Smith,O=IBM,OU=Test,C=GB. The CN, O, and C attributes are required.
-label Label
Specifies the label that is associated with the certificate request.
The default value is ibmwebspheremqQMgrName, where QMgrName is the name of the queue manager in lowercase.
-sig_alg HashAlgorithm
Specifies the signing algorithm that is used to create the signature that is associated with the new certificate.
HashAlgorithm can be one of the following values:

md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA22WithrSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithRSA, SHA256WithECDSA, SHA256WithRSA, , sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA , EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512.

sha3_256, SHA3_256WithRSA, sha3_384, SHA3_384WithRSA, sha3_512, SHA3_512WithRSA, SHA3_256WithRSASSAPSS, SHA3_384WithRSASSAPSS, SHA3_512WithRSASSAPSS, SHA3_256WithECDSA, SHA3_384WithECDSA, SHA3_512WithECDSA, RSASSAPSS, SHA256WithRSASSAPSS, SHA384WithRSASSAPSS, SHA512WithRSASSAPSS.

The default value is SHA256WithRSA.
-size KeySize
Specifies the size of the new key pair.
The default value is 2048 for all RSA signature algorithms. For elliptic curve signature algorithms, use 256, 384, or 512 to match the selected algorithm.
-ku Usage
Specifies a list of valid uses for the certificate.
To specify more than one use, enter each value in a comma-separated list.
-eku Usage
Specifies a list of valid uses for the certificate.
To specify more than one use, enter each value in a comma-separated list.
-san_dnsname DNSNames
Specifies the Subject Alternative Name (SAN) DNS names for the certificate that is created.
To specify more than one DNS name, enter each value in a comma-separated list.
-san_ipaddr IPAddresses
Specifies the Subject Alternative Name (SAN) IP addresses for the certificate that is created.
To specify more than one IP address, enter each value in a comma-separated list.

Usage notes

  • This command must be run from the IBM® MQ administration mode. If the system is in the IBM MQ administration mode the prompt includes mq. To enter the IBM MQ administration mode, enter mqcli on the command line. To exit the IBM MQ administration mode, enter exit on the command line.
  • The certificate request file name is generated based on the label that is specified in the command. The file name is displayed when the command completes.

Examples

  • The following command creates a certificate request for queue manager QM2, with a distinguished name of CN=Jane Smith,O=IBM,OU=Test,C=US: 
    createcertrequest -m QM2 -dn "CN=Jane Smith,O=IBM,OU=Test,C=US"

Related commands