Distributed

Requesting a personal certificate on UNIX, Linux, and Windows systems

You can request a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm or runmqakm commands. If you need to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

About this task

You can request a personal certificate using the iKeyman GUI, or from the command line, subject to the following considerations:

  • WebSphere® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.
  • The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
  • Not all digital certificates can be used with all CipherSpecs. Ensure that you request a certificate that is compatible with the CipherSpecs you need to use. WebSphere MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM WebSphere MQ topic.
  • To use the Type 1 CipherSpecs (with names beginning ECDHE_ECDSA_) you must use the runmqakm command to request the certificate and you must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384.
  • Only the runmqakm command provides a FIPS-compliant option.
  • If you are using cryptographic hardware, see Requesting a personal certificate for your PKCS #11 hardware.

Using the iKeyman user interface

About this task

iKeyman does not provide a FIPS-compliant option. If you need to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

Procedure

Complete the following steps to apply for a personal certificate, by using the iKeyman user interface:

  1. Start the iKeyman user interface by using the strmqikm command.
  2. From the Key Database File menu, click Open.
    The Open window opens.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file from which you want to generate the request; for example, key.kdb.
  6. Click Open.
    The Password Prompt window opens.
  7. Type the password you set when you created the key database and click OK.
    The name of your key database file is shown in the File Name field.
  8. From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window opens.
  9. In the Key Label field, enter the following labels:
    • For a queue manager, enter ibmwebspheremq followed by the name of your queue manager changed to lowercase. For example, for a queue manager called QM1, enter ibmwebspheremqqm1.
    • For an IBM WebSphere MQ MQI client, enter ibmwebspheremq followed by your logon user ID, all in lowercase; for example, ibmwebspheremqmyuserid .
  10. Type or select a value for any field in the Distinguished name field, or any of the Subject alternative name fields. For the remaining fields, either accept the default values, or type or select new values.
    For more information about Distinguished Names, see Distinguished Names.
  11. In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
  12. Click OK.
    A confirmation window is displayed.
  13. Click OK.
    The Personal Certificate Requests list shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 11.
  14. Request the new personal certificate either by sending the file to a certificate authority (CA), or by copying the file into the request form on the website for the CA.

Using the command line

Procedure

Use the following commands to request a personal certificate by using either the runmqckm or runmqakm command:
  • Using runmqckm: 
    
runmqckm -certreq -create -db filename -pw 
password -label label 
        -dn distinguished_name -size key_size
 -file filename -sig_alg algorithm

    Instead of -dn distinguished_name , you can use -san_dsname DNS_names , -san_emailaddr email_addresses , or -san_ipaddr IP_addresses .

  • Using runmqakm: 
    
runmqakm -certreq -create -db filename -pw 
password -label label 
        -dn distinguished_name -size key_size
 -file filename -fips
        -sig_alg algorithm
where:
-db filename
Specifies the fully qualified file name of a CMS key database.
-pw password
Specifies the password for the CMS key database.
-label label
Specifies the key label attached to the certificate.
-dn distinguished_name
Specifies the X.500 distinguished name enclosed in double quotation marks. At least one attribute is required. You can supply multiple OU and DC attributes.
-size key_size
Specifies the key size. If you are using runmqckm , the value can be 512 or 1024. If you are using runmqakm, the value can be 512, 1024, or 2048.
-file filename
Specifies the file name for the certificate request.
-fips
Specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
-sig_alg
For runmqckm, specifies the asymmetric signature algorithm used for the creation of the entry's key pair. The value can be MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA , SHA1WithRSA, SHA256_WITH_RSA, SHA256WithRSA, SHA2WithRSA, SHA384_WITH_RSA , SHA384WithRSA, SHA512_WITH_RSA , SHA512WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, or SHAWithRSA . The default value is SHA1WithRSA
-sig_alg
For runmqakm, specifies the hashing algorithm used during the creation of a certificate request. This hashing algorithm is used to create the signature associated with the newly created certificate request. The value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA , SHA_WITH_RSA, sha1, SHA1WithDSA , SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA , SHA224WithECDSA, SHA224WithRSA , sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384 , SHA384_WITH_RSA, SHA384WithECDSA , SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA , EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224 , EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384 , or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.
-san_dnsname DNS_names
Specifies a comma-delimited or space-delimited list of DNS names for the entry being created.
-san_emailaddr email_addresses
Specifies a comma-delimited or space-delimited list of email addresses for the entry being created.
-san_ipaddr IP_addresses
Specifies a comma-delimited or space-delimited list of IP addresses for the entry being created.