Requirements for personal certificates
IBM MQ supports digital certificates that comply with the X.509 standard. It requires the client authentication option.
Because IBM MQ is a peer to peer system, it is viewed as client authentication in SSL/TLS terminology. Therefore, any personal certificate used for SSL/TLS authentication needs to allow a key usage of client authentication. Not all server certificates have this option enabled, so the certificate provider might need to enable client authentication on the root CA for the secure certificate.
In addition to the standards which specify the data format for a digital certificate, there are also standards for determining whether a certificate is valid. These standards have been updated over time in order to prevent certain types of security breach. For example, older X.509 version 1 and 2 certificates did not indicate whether the certificate could be legitimately used to sign other certificates. It was therefore possible for a malicious user to obtain a personal certificate from a legitimate source and create new certificates designed to impersonate other users.
When using X.509 version 3 certificates, the BasicConstraints and KeyUsage certificate extensions are used to specify which certificates can legitimately sign other certificates. The IETF RFC 5280 standard specifies a series of certificate validation rules which compliant application software must implement in order to prevent impersonation attacks. A set of certificate rules is known as a certificate validation policy.
For more information about certificate validation policies in IBM MQ, see Certificate validation policies in IBM MQ.