Command for CMS or PKCS #12 key databases

You can use the runmqckm, and runmqakm commands to manage keys and certificates for a CMS key database or PKCS #12 key database.

Note: IBM® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

-keydb -changepw

Change the password for a key database:


-keydb -changepw -db filename -pw password 
-new_pw new_password -expire days

-keydb -convert

convert the key database from one format to another:


-keydb -convert -db filename -pw password
-old_format cms | pkcs12 -new_format cms

-keydb -create

Create a key database:


-keydb -create -db filename -pw password 
-type cms | pkcs12

-keydb -delete

Delete a key database:


-keydb -delete -db filename -pw password

-keydb -list

List currently-supported types of key database:


-keydb -list

-cert -add

Add a certificate from a file into a key database:


-cert -add -db filename -pw password -label label
-file filename -format ascii | binary

-cert -create

Create a self-signed certificate:


-cert -create -db filename -pw password -label label
 -dn distinguished_name 
    -size 1024 | 512 -x509version 3 | 1  | 2
    -expire days 
    -sig_alg MD2_WITH_RSA | MD2WithRSA | 
             MD5_WITH_RSA | MD5WithRSA | 
             SHA1WithDSA | SHA1WithRSA |
             SHA256_WITH_RSA | SHA256WithRSA | 
             SHA2WithRSA | SHA384_WITH_RSA | 
             SHA384WithRSA |  SHA512_WITH_RSA |
             SHA512WithRSA | SHA_WITH_DSA  |
             SHA_WITH_RSA | SHAWithDSA | SHAWithRSA

-cert -delete

Delete a certificate:


-cert -delete -db filename -pw password -label label

-cert -details

List the detailed information for a specific certificate:


-cert -details -db filename -pw password -label label

-cert -export

Export a personal certificate and its associated private key from a key database into a PKCS #12 file, or to another key database:


-cert -export -db filename -pw password -label label
 -type cms | pkcs12
    -target filename -target_pw password -target_type 
cms | pkcs12

-cert -extract

Extract a certificate from a key database:


-cert -extract -db filename -pw password -label label
 -target filename
    -format ascii | binary

-cert -import

Import a personal certificate from a key database:


 -cert -import -file filename -pw password -type 
pkcs12 -target filename
        -target_pw password -target_type cms -label 
label

The -label option is required and specifies the label of the certificate that is to be imported from the source key database.

The -new_label option is optional and allows the imported certificate to be given a different label in the target key database from the label in the source database.

-cert -list

List all certificates in a key database:


-cert -list all | personal | CA
    -db filename -pw password

-cert -receive

Receive a certificate from a file:


-cert -receive -file filename -db filename -pw password
 
    -format ascii | binary -default_cert yes | no

-cert -sign

Sign a certificate:


-cert -sign -db filename -file filename -pw password
   -label label -target filename
   -format ascii | binary -expire days
   -sig_alg MD2_WITH_RSA | MD2WithRSA | MD5_WITH_RSA |
            MD5WithRSA | SHA1WithDSA | SHA1WithRSA |
            SHA256_WITH_RSA | SHA256WithRSA | 
            SHA2WithRSA | SHA384_WITH_RSA | 
            SHA384WithRSA |  SHA512_WITH_RSA |
            SHA512WithRSA | SHA_WITH_DSA  |
            SHA_WITH_RSA | SHAWithDSA |
            SHAWithRSA

-certreq -create

Create a certificate request:


-certreq -create -db filename -pw password
    -label label -dn distinguished_name
    -size 1024 | 512 -file filename
    -sig_alg MD2_WITH_RSA | MD2WithRSA | 
             MD5_WITH_RSA | MD5WithRSA | 
             SHA1WithDSA | SHA1WithRSA |
             SHA256_WITH_RSA | SHA256WithRSA | 
             SHA2WithRSA | SHA384_WITH_RSA | 
             SHA384WithRSA | SHA512_WITH_RSA |
             SHA512WithRSA | SHA_WITH_DSA |
             SHA_WITH_RSA | SHAWithDSA |
             SHAWithRSA

-certreq -delete

Delete a certificate request:


-certreq -delete -db filename -pw password -label label

-certreq -details

List the detailed information of a specific certificate request:


-certreq -details -db filename -pw password -label label

List the detailed information about a certificate request and show the full certificate request:


-certreq -details -showOID -db filename
    -pw password -label label

-certreq -extract

Extract a certificate request from a certificate request database into a file:


-certreq -extract -db filename -pw password
     -label label -target filename

-certreq -list

List all certificate requests in the certificate request database:


-certreq -list -db filename -pw password

-certreq -recreate

Re-create a certificate request:


-certreq -recreate -db filename -pw password
    -label label -target filename