Importing a personal certificate to your PKCS #11 hardware

Use this procedure for either a queue manager or an IBM MQ MQI client to import a personal certificate to your cryptographic hardware.


Use iKeyman

Procedure

To request a personal certificate from the iKeyman user interface, complete the following steps:

  1. Complete the steps to work with your cryptographic hardware. See Managing certificates on PKCS #11 hardware.
  2. Click Receive. The Receive Certificate from a File window opens.
  3. Select the Data type of the new personal certificate; for example, Base64-encoded ASCII data for a file with the .arm extension.
  4. Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
  5. Click OK. If you already have a personal certificate in your key database a window opens, asking if you want to set the key you are adding as the default key in the database.
  6. Click Yes or No. The Enter a Label window opens.
  7. Enter the certificate label. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels for details.
  8. Click OK. The Personal Certificates list shows the label of the new personal certificate you added. This label is formed by adding the cryptographic token label before the label you supplied.


Use the command line

Procedure

To request a personal certificate from a command line, complete the following steps:

  1. Open a command window that is configured for your environment.
  2. Enter the appropriate command for your operating system and configuration:

    • On Windows, UNIX and Linux systems, use one of the following commands: 
       runmqckm -cert -receive -file filename -crypto path
-tokenlabel hardware_token -pw hardware_password -format cert_format 

       runmqakm -cert -receive -file filename -crypto path
-tokenlabel hardware_token -pw hardware_password -format cert_format -fips
    where:

      -file filename
      Specifies the fully qualified file name of the file containing the personal certificate.
      -crypto path
      Specifies the fully qualified path to the PKCS #11 library supplied with the hardware.
      -tokenlabel hardware_token
      Specifies the label given to the storage part of the cryptographic hardware during installation.
      -pw hardware_password
      Specifies the password for access to the hardware.
      -format cert_format
      Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for binary DER data. The default is ASCII.
      -fips
      Specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.