Adding default CA certificates into an empty key repository on UNIX, Linux, and Windows with GSKit Version 8.0

Follow this procedure to add one or more of the default CA certificates to an empty key repository with GSKit version 8.

In GSKit Version 7.0, the behavior when creating a new key repository was to automatically add in a set of default CA certificates for commonly-used Certificate Authorities. For GSKit version 8, this behavior has changed so that CA certificates are no longer automatically added to the repository. The user is now required to manually add CA certificates into the key repository.


Use strmqikm

Perform the following steps on the machine on which we want to add the CA certificate:

  1. Start the GUI using the strmqikm command (on UNIX, Linux, and Windows).
  2. From the Key Database File menu, click Open. The Open window opens.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file to which we want to add the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window opens.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. In the Key database content field, select Signer Certificates.
  9. Click Populate. The Add CA's Certificate window opens.
  10. The CA certificates that are available to be added to the repository are displayed in a hierarchical tree structure. Select the top level entry for the organization whose CA certificates we want to trust to view the complete list of valid CA certificates.
  11. Select the CA certificates we want to trust from the list and click OK. The certificates are added to the key repository.


Use the command line

Use the following commands to list, then add CA certificates using runmqckm:

  • Issue the following command to list the default CA certificates along with the organizations which issue them: 
    runmqckm -cert -listsigners
  • Issue the following command to add all of the CA certificates for the organization specified in the label field: 
    runmqckm -cert -populate -db filename -pw password -label label

where:

-db filename is the fully qualified path name of the key database.
-pw password is the password for the key database.
-label label is the label attached to the certificate.
Note: Adding a CA certificate to a key repository results in IBM MQ trusting all personal certificates signed by that CA certificate. Consider carefully which Certificate Authorities we want to trust and only add the set of CA certificates needed to authenticate your clients and managers. It is not recommended to add the full set of default CA certificates unless this is a definitive requirement for the security policy. Parent topic: Set up a key repository on UNIX, Linux, and Windows