Create a self-signed personal certificate

Create a self-signed personal certificate

When you create a key database, no personal certificates are provided. However, we need a personal certificate before we can run an SSL channel. A self-signed personal certificate can be used to run SSL channels for the purposes of testing SSL communications. These certificates can be created on either a WebSphere MQ queue manager or WebSphere MQ client system.
Use the following procedure to obtain a self-signed certificate for your queue manager or WebSphere MQ client:

Start the iKeyman GUI using either the gsk7ikm command (on UNIX) or the strmqikm command (on Windows).
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file in which you want to save the certificate, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
From the Create menu, click New Self-Signed Certificate. The Create New Self-Signed Certificate window displays.
In the Key Label field, type:

For a queue manager, ibmwebspheremq followed by the name of your queue manager folded to lower case. For example, for QM1, ibmwebspheremqqm1, or,
For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that we can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.
Click OK. The Personal Certificates list shows the label of the self-signed personal certificate you created.

Use the following commands to create a self-signed personal certificate using IKEYCMD or GSKCapiCmd:
On UNIX:
gsk7cmd -cert -create -db filename -pw password -label label
        -dn distinguished_name -size key_size -x509version version -expire days
On Windows:
runmqckm -cert -create -db filename -pw password -label label
        -dn distinguished_name -size key_size -x509version version -expire days
Using GSKCapiCmd:
gsk7capicmd -cert -create -db filename -pw password -label label
        -dn distinguished_name -size key_size -x509version version -expire days 
        -fips -sigalg md5 | sha1 | sha224 | sha256 | sha384 | sha512
where:

-db filename is the fully qualified file name of a CMS key database.
-pw password is the password for the CMS key database.
-label label is the key label attached to the certificate.
-dn distinguished_name
is the X.500 distinguished name enclosed in double quotes. Note that only the CN attribute is required. We can supply multiple OU attributes.
-size key_size is the key size. For IKEYCMD, the value can be 512 or 1024.
For GSKCapiCmd, the value can be 512, 1024, or 2048.
-x509version version is the version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
-expire days is the expiration time in days of the certificate. The default is 365 days for a certificate.
-fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.
-sigalg The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly created self-signed certificate. The value can be md5, sha1, sha224, sha256, sha384, or sha512. The default is sha1.

Parent topic:
Obtaining personal certificates

sy12260_

-db filename	is the fully qualified file name of a CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the key label attached to the certificate.
-dn distinguished_name	is the X.500 distinguished name enclosed in double quotes. Note that only the CN attribute is required. We can supply multiple OU attributes.
-size key_size	is the key size. For IKEYCMD, the value can be 512 or 1024. For GSKCapiCmd, the value can be 512, 1024, or 2048.
-x509version version	is the version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
-expire days	is the expiration time in days of the certificate. The default is 365 days for a certificate.
-fips	specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.
-sigalg	The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly created self-signed certificate. The value can be md5, sha1, sha224, sha256, sha384, or sha512. The default is sha1.