Adding default CA certificates into an empty key repository on UNIX, Linux, and Windows systems with GSKit version 8.0
Follow this procedure to add one or more of the default CA certificates to an empty key repository with GSKit version 8.
In GSKit version 7.0, the behaviour when creating a new key repository was to automatically add in a set of default CA certificates for commonly-used Certificate Authorities. For GSKit version 8, this behaviour has changed so that CA certificates are no longer automatically added to the repository. The user is now required to manually add CA certificates into the key repository.
Using iKeyman
Perform the following steps on the machine on which you want to add the CA certificate:
- Start the iKeyman GUI using the strmqikm command (on UNIX, Linux® and Windows systems).
- From the Key Database File menu, click Open. The Open window opens.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file to which you want to add the certificate,
for example
key.kdb
. - Click Open. The Password Prompt window opens.
- Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
- In the Key database content field, select Signer Certificates.
- Click Populate. The Add CA's Certificate window opens.
- The CA certificates that are available to be added to the repository are displayed in a hierarchical tree structure. Select the top level entry for the organization whose CA certificates you wish to trust to view the complete list of valid CA certificates.
- Select the CA certificates you wish to trust from the list and click OK. The certificates are added to the key repository.
Using the command line
Use the following
commands to list, then add CA certificates using iKeycmd:
- Issue the following command to list the default CA certificates
along with the organizations which issue them:
runmqckm -cert -listsigners
- Issue the following command to add all of the CA certificates
for the organization specified in the label field:
runmqckm -cert -populate -db filename -pw password -label label
-db filename |
is the fully qualified path name of the key database. |
-pw password |
is the password for the key database. |
-label label |
is the label attached to the certificate. |
Note: Adding a CA certificate to a key repository
results in WebSphere® MQ
trusting all personal certificates signed by that CA certificate.
Consider carefully which Certificate Authorities you wish to trust
and only add the set of CA certificates needed to authenticate your
clients and managers. It is not recommended to add the full set of
default CA certificates unless this is a definitive requirement for
your security policy.