[AIX, Linux, Windows][MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]

runmqktool (manage keys, certificates, and certificate requests)

Use the runmqktool command to manage keys, certificates, and certificate requests in key repositories that IBM® MQ uses. runmqktool provides the same functions as the Java keytool certificate management utility.

The runmqktool command supports the following key repository file formats:
  • PKCS #12
  • JKS
  • JCEKS
The runmqakm command supports other key repository formats. For more information, see runmqakm -keydb (manage key repositories).

From IBM MQ 9.4.0, this command replaces the runmqckm command that is used to manage certificates in earlier versions of IBM MQ.

The runmqktool command requires that the IBM MQ Java runtime environment (JRE) component is installed.

Usage notes

The runmqktool command calls the keytool certificate management utility in the Java runtime environment that is supplied with IBM MQ.

For more information about the keytool command and its usage:
Note: Due to a restriction in the IBM Java 8 keytool command, runmqktool cannot import certificates in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 if the file contains comments. To import a certificate in printable encoding format, remove all comments from the file. The file must begin with a string that starts with "-----BEGIN", and end with a string that starts with "-----END".

Syntax

Read syntax diagramSkip visual syntax diagram runmqktool-certreq-changealias-delete-exportcert-genkeypair-importcert-importkeystore-keypasswd-list-storepasswdoptions

Parameters

-certreq
Create a request for a signed certificate to be sent to a certificate authority (CA). You must first create a key pair by using the -genkeypair command.
-changealias
Change the label that is associated with an entry in the key repository.
-delete
Delete an entry from the key repository.
-exportcert
Extract the public part of a certificate from the key repository.
-genkeypair
Create a public key and private key pair, and an associated self-signed certificate.
-importcert
Add a certificate to the key repository. Use this command to complete one of the following actions:
  • Add a certificate to the key repository as a trusted certificate.
  • Receive a certificate that is signed by a certificate authority (CA) into the key repository.
-importkeystore
Import certificates and their associated private keys into the key repository from another key repository.
-keypasswd
Change the password that protects a private key in the key repository.
-list
List the contents of the key repository.
-storepasswd
Change the key repository password.
options
The parameters that are required for the specified command.

All commands and options that are specified are passed unchanged to the Java keytool certificate management utility. For more information about the commands and options that can be specified, see Keytool.

Return codes

Table 1. Return code identifiers and descriptions
Return code Description
0 Command successful.
>0 Command not successful.