+

Search Tips | Advanced Search

Requesting a personal certificate for your PKCS #11 hardware

Use this procedure for either a queue manager or an IBM MQ MQI client to request a personal certificate for your cryptographic hardware.


Use the iKeyman user interface

About this task

Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

Procedure

To request a personal certificate from the iKeyman user interface, complete the following steps:

  1. Complete the steps to work with your cryptographic hardware. See Managing certificates on PKCS #11 hardware.
  2. From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window opens.
  3. In the Key Label field, enter the certificate label. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels for details.
  4. Enter values for Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that we can supply only one name in the Organizational Unit field. For more information about these fields, see Distinguished Names.
  5. In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
  6. Click OK. A confirmation window opens.
  7. Click OK. The Personal Certificate Requests list shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 5.
  8. Request the new personal certificate either by sending the file to a certificate authority (CA), or by copying the file into the request form on the website for the CA.


Use the command line

Procedure

Request a personal certificate by using either the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) command.

  • Use runmqckm: 
    runmqckm -certreq -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -file filename -sig_alg algorithm

    Instead of -dn distinguished_name, we can use -san_dsname DNS_names, -san_emailaddr email_addresses, or -san_ipaddr IP_addresses.

  • Use runmqakm: 
    runmqakm -certreq -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -file filename -fips
        -sig_alg algorithm
where:

    -db filename
    Specifies the fully qualified file name of a CMS key database.
    -pw password
    Specifies the password for the CMS key database.
    -label label
    Specifies the key label attached to the certificate. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or the IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels, understanding the requirements for details.
    -dn distinguished_name
    Specifies the X.500 distinguished name enclosed in double quotation marks. At least one attribute is required. We can supply multiple OU and DC attributes. Note: The runmqckm and runmqakm tools refer to the postal code attribute as POSTALCODE, not PC. Always specify POSTALCODE in the -dn parameter when we use these certificate management commands to request certificates with a postal code.
    -size key_size
    Specifies the key size. If you are using runmqckm, the value can be 512 or 1024. If you are using runmqakm, the value can be 512, 1024, or 2048.
    -file filename
    Specifies the file name for the certificate request.
    -fips
    Specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
    -sig_alg
    For runmqckm, specifies the asymmetric signature algorithm used for the creation of the entry's key pair. The value can be MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithRSA, SHA256_WITH_RSA, SHA256WithRSA, SHA2WithRSA, SHA384_WITH_RSA, SHA384WithRSA, SHA512_WITH_RSA, SHA512WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, or SHAWithRSA. The default value is SHA1WithRSA
    -sig_alg
    For runmqakm, specifies the hashing algorithm used during the creation of a certificate request. This hashing algorithm is used to create the signature associated with the newly created certificate request. The value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.
    -san_dnsname DNS_names
    Specifies a comma-delimited or space-delimited list of DNS names for the entry being created.
    -san_emailaddr email_addresses
    Specifies a comma-delimited or space-delimited list of email addresses for the entry being created.
    -san_ipaddr IP_addresses
    Specifies a comma-delimited or space-delimited list of IP addresses for the entry being created.

What to do next

Submit a certificate request to a CA. See Receiving personal certificates into a key repository on UNIX, Linux, and Windows for further information.