Scenario: Creating test certificates

In this scenario, we can create a self-signed certificate which we can use for testing MQIPT routes. This certificate can be used by an MQIPT route to identify itself to a remote peer.

Self-signed certificates can be useful in test scenarios where you must ensure SSL/TLS connectivity without paying a Certificate Authority (CA) for a certificate. However, you should not use self-signed certificates in production environments. If you need certificates for production usage, see Scenario: Creating a key-ring file.

Before you begin

• Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Scenarios: Getting started with MQIPT.

About this task

We can either use the iKeyman command-line interface (CLI) or the iKeyman GUI to request the certificate. You should then include the resulting key-ring file in the SSLServerKeyRing or SSLClientKeyRing MQIPT route property, depending on whether the certificate is for use by inbound or outbound connections.

Procedure

Use one of the following methods to create test certificates:

• Use the iKeyman command-line interface (CLI)
  1. Create a new PKCS#12 file:

     mqiptKeycmd -keydb -create -db server_name.pfx -pw key_password -type key_type
     

     where:
     • -db specifies the file (server_name.pfx) that corresponds to the key-ring property of the MQIPT route. For example, use SSLClientKeyRing for an SSLClient route and SSLServerKeyRing for an SSLServer route.
     • -pw specifies the password (key_password) that you must use later with the mqiptPW utility to store the encrypted key-ring password.
     • -type specifies the format of the key database; for example, pkcs12.
  2. Create a self-signed personal certificate for testing purposes:

     mqiptKeycmd -cert -create -db server_name.pfx -pw password -type key_type
                 -label label -dn DN_identity
                 -sig_alg signature_algorithm -size key_size
     

     where:
     • -type specifies the format of the key database; for example, pkcs12.
     • -label specifies a unique name of your choice; it is preferable not to include space characters.
     • -dn specifies the appropriate Distinguished Name identity for the MQIPT route; for example, "CN=Test Certificate,OU=Sales,O=Example,C=US".
     • -sig_alg specifies the hash algorithm; for example, SHA256WithRSA.
     • -size specifies the size of the public key; for example, 2048.
     If we use the example values given, this command creates a digital certificate with a 2048-bit RSA public key and a digital signature that uses RSA with the SHA-256 hash algorithm.

     When creating a certificate, take care to choose an appropriate public key encryption algorithm, key size, and digital signature algorithm for your organization's security needs. See Digital certificate considerations for MQIPT for more information.

• Use the iKeyman GUI
  1. Open the iKeyman GUI by running the following command:

     mqiptKeyman

  2. Click Key database file > New.
  3. Select the type of the key database; for example, PKCS12.
  4. Enter the file name and location for the new key-ring file. This must correspond to the key-ring property of the MQIPT route; for example, use SSLClientKeyRing for an SSLClient route and SSLServerKeyRing for an SSLServer route. Click OK.
  5. Enter a password for the new key-ring file. Enter the password a second time to confirm. This is the password that you must use later with the mqiptPW utility to store the encrypted key-ring password. Click OK to create the new personal-certificate key-ring file.
  6. Create the new self-signed personal certificate by clicking Create > New Self-Signed Certificate.
  7. Enter a label for the new certificate in the Key Label field. The label can be any unique name you choose; it is preferable not to include space characters.
  8. Select the key size and digital signature algorithm as appropriate for your organization's security needs. See Digital certificate considerations for MQIPT for more information.
  9. Enter the appropriate Distinguished Name identity for the MQIPT route in the optional DN fields, then click OK.

What to do next

After we have finished configuring the key-ring file, store an encrypted copy of the password in a file so that MQIPT can access the key-ring file:

mqiptPW key_password password_file_name.pwd

where:

• key_password is the key-ring password.
• password_file_name.pwd is the name of the file to store the password in.

Ensure that this file is named by the appropriate MQIPT route property; for example, SSLServerKeyRingPW for the SSLServer personal certificate key-ring file or SSLClientKeyRingPW for the SSLClient personal certificate key-ring file.