Certificate requirements for AMS
Certificates must have an RSA public key in order to be used with Advanced Message Security.
For more information about different public key types and how to create them, see Digital certificates and CipherSpec compatibility in IBM MQ.
Key usage extensions
Key usage extensions place additional restrictions on the way a certificate can be used.
In Advanced Message Security, the key usage of X.509 v3 certificates must be set in accordance with the RFC 5280 specification.
For the quality of protection integrity, if certificate key usage extensions are set, that set
must include at least one of the two:
- nonRepudiation
- digitalSignature
For the quality of protection privacy, if certificate key usage extensions are set, that set must include:
- keyEncipherment
For the quality of protection confidentiality, if certificate key usage extensions are set, that
set must include:
- dataEncipherment
Extended key usage further refines key usage extensions. For all qualities of protection, if
certificate extended key usage is set, the set must include:
- emailProtection