Queue manager certificate administration
When using IBM® MQ as a Service it is important to protect data that flows through your queue managers.
Public certificates and private keys can be used to encrypt data in transit and at rest using transport layer security (TLS) and Advanced Message Security (AMS). IBM MQ as a Service provides a default certificate and private key pair for your queue manager on creation. The certificate and private key pair can be used to authenticate the queue manager to connecting IBM MQ clients and encrypt/decrypt data. The IBM MQ as a Service service provides the ability for administrators to use their own customer generated certificates and manage their use within the queue manager. This topic explains how the provided certificates are managed by the service, steps administrators will need to follow to manage expiring certificates, and how to import your own customer generated certificates.
IBM certificate management policy
When a queue manager is created, a default certificate chain is added to the queue manager's key store and trust store. The key store contains the certificate used by the queue manager and the trust store contains the intermediate and root CA certificates used to sign the queue manager certificate. The default certificate is configured for use on the queue manger, the IBM MQ Console and REST APIs. Only the queue manager certificate can be replaced.
Certificates can be viewed in the service by selecting a queue manager and clicking the Key store tab. The image shows a certificate in the key store, the icons (which are greyed out when not in use) from left to right represent:
- Queue manager default certificate (used when no explicit certificate is chosen in configuration)
- Used in TLS channel configuration
- Used in AMS channel configuration
- Used by IBM MQ Console and REST APIs
The default certificate has a 90-day expiration period. When nearing expiry the following process is invoked by the service:
- Approximately 30 days before expiration a new certificate is added to the queue manager key
store
- Queue managers that have not been configured to enable TLS use the new certificate by default
- Queue managers that are configured to use TLS continue to use the old certificate, the new certificate is made available for use
- The IBM MQ Console and REST APIs for existing queue managers continue to the use the old certificate
- The IBM MQ Console and REST APIs for new queue managers use the new certificate
- Approximately 14 days before expiration the new certificate becomes the default
- Queue managers that are configured to use TLS or AMS have the default certificate replaced with the new certificate (IBM MQ clients will be disconnected for a short time, while the security configuration is refreshed)
- The IBM MQ Console and REST APIs use the new certificate
- The old certificate is removed from the queue manager key store
- Queue managers that have been configured to use a customer generated certificate remain unaffected by the above process. Customer generated certificate expiry is the responsibility of the queue manager administrator.
- Certificates originally had an expiration period of 1 year. This has been reduced to 90 days.
Handling certificate expiry
The IBM MQ as a Service service provides notifications in the service console user interface when IBM provided certificates near expiry.
Within 30 and 14 days of expiry increasingly severe warnings are displayed in the queue manager list view and on the queue manager details pages. During this period TLS and AMS enabled IBM MQ clients and connected queue managers require their trust stores to be updated to include the new certificate. To download the new certificate from the service, complete these steps:
- Open the Key store tab for the required queue manager
- Select the ... icon on the new certificate
- Click the Download public certificate button to download the PEM file
- Import the certificate into the IBM MQ client trust
store

An example of importing a certificate into another queue manager trust store:
# First convert the PEM file to pkcs12# Choose a password when prompted
openssl pkcs12 -export -out qmgrcert_YYYYMM.pfx -in qmgrcert_YYYYMM.pem -nokeys
# Import the certificate into the queue manager trust store
runmqckm -cert -import -file qmgrcert_YYYYMM.pem -type pkcs12 -target /var/mqm/qmgrs/<QM>/ssl/key.kdb -target_pw <password> -target_type cms -label <label>
An example of importing a certificate into a Java client trust store:
# First convert the PEM file to DER
openssl x509 -outform der -in qmgrcert_YYYYMM.pem -out qmgrcert_YYYYMM.der
# Import the certificate into the Java trust store
keytool -import -alias <label> -keystore cacerts -file qmgrcert_YYYYMM.der
After the IBM MQ client or connected queue manager trust stores have been updated, the IBM MQ as a Service queue manager can be configured to use the new certificate.
- Open the Key store tab for the required queue manager
- Select the ... icon on the new certificate
- Click the Manage button
- Select the TLS and AMS configuration required
- Now refresh the queue manager SSL Security:
- On the queue manager page, select Configuration.

- Select the Security tab.

- Select the ... icon, then Refresh SSL.

- Confirm by clicking Refresh.
- On the queue manager page, select Configuration.
Your certificate can now be used when configuring TLS and AMS for your queue manager.
Using certificates for AMS
TLS is configured for queue manager by default. For details on how to use certificates for AMS see Enabling queue manager Advanced Message Security (AMS).