Obtaining personal certificates
You apply to a Certification Authority for the personal certificate that is used to verify the identity of the queue manager or WebSphere MQ client. You can also create self-signed certificates for testing SSL on the UNIX system.
This section tells you how to use iKeyman for:
Creating a self-signed personal certificate
The CA certificates that are provided when you install SSL are signed by the issuing CA. No self-signed personal certificates are provided at installation, but they are useful when testing SSL communications on the system. Use the following procedure to obtain a self-signed certificate for the queue manager or WebSphere MQ client:
- Execute the gsk6ikm command to start the iKeyman GUI.
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file in which you want to save the certificate, for example key.kdb.
- Click Open. The Password Prompt window displays.
- Type the password you set when you created the key database and click OK. The name of the key database file displays in the File Name field.
- From the Create menu, click New Self-Signed Certificate. The Create New Self-Signed Certificate window displays.
- In the Key Label field, type:
- For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or,
- For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.
- Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that you can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.
- Click OK. The Personal Certificates field shows the name of the self-signed personal certificate you created.
Use the following command to create a self-signed personal certificate using IKEYCMD:
gsk6cmd -cert -create -db filename -pw password -label label -dn distinguished_name -size key_size -x509version version -expire dayswhere:
-db filename is the fully qualified path name of a CMS key database. -pw password is the password for the CMS key database. -label label is the label attached to the certificate. -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute. -size key_size is the key size. The value can be 512 or 1024. -x509version version is the version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3. -expire days is the expiration time in days of the certificate. The default is 365 days for a certificate.
Requesting a personal certificate
To apply for a personal certificate, use the iKeyman tool as follows:
- Execute the gsk6ikm command to start the iKeyman GUI.
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file from which you want to generate the request, for example key.kdb.
- Click Open. The Password Prompt window displays.
- Type the password you set when you created the key database and click OK. The name of the key database file displays in the File Name field.
- From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window displays.
- In the Key Label field, type:
- For a queue manager, ibmwebspheremq followed by the name of the queue manager folded to lower case. For example, for PARIS, ibmwebspheremqPARIS, or
- For a WebSphere MQ client, ibmwebspheremq followed by the logon user ID folded to lower case, for example ibmwebspheremqmyuserid.
- Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that you can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.
- In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
- Click OK. A confirmation window displays.
- Click OK. The Personal Certificate Requests field shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 11.
- Request the new personal certificate either by sending the file to a Certification Authority (CA), or by copying the file into the request form on the Web site for the CA.
Use the following command to request a personal certificate using IKEYCMD:
gsk6cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size -file filenamewhere:
-db filename is the fully qualified path name of a CMS key database. -pw password is the password for the CMS key database. -label label is the label attached to the certificate. -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute. -size key_size is the key size. The value can be 512 or 1024. -file filename is the filename for the certificate request. If you are using cryptographic hardware, refer to Requesting a personal certificate for the PKCS #11 hardware.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.