Creating a self-signed personal certificate on UNIX, Linux, and Windows
We can create a self-signed certificate by using the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd).
Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
For more information about why you might want to use self-signed certificates, see Use self-signed certificates for mutual authentication of two queue managers.
Not all digital certificates can be used with all CipherSpecs. Ensure that you create a certificate that is compatible with the CipherSpecs you need to use. IBM MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM MQ topic. To use the Type 1 CipherSpecs (those with names beginning ECDHE_ECDSA_) you must use the runmqakm command to create the certificate and you must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384.
Use iKeyman
iKeyman does not provide a FIPS-compliant option. If you need to manage TLS certificates in a way that is FIPS-compliant, use the runmqakm command.
Use the following procedure to obtain a self-signed certificate for your queue manager or IBM MQ MQI client:- Start the iKeyman GUI by using the strmqikm command .
- From the Key Database File menu, click Open. The Open window displays.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file in which you want to save the certificate, for example key.kdb.
- Click OK. The Password Prompt window displays.
- Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field.
- From the Create menu, click New Self-Signed Certificate. The Create New Self-Signed Certificate window is displayed.
- In the Key Label field, enter the certificate label. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels for details.
- Type or select a value for any field in the Distinguished name, or any of the Subject alternative name fields.
- For the remaining fields, either accept the default values, or type or select new values. For more information about Distinguished Names, see Distinguished Names.
- Click OK. The Personal Certificates list shows the label of the self-signed personal certificate you created.
Use the command line
Use the following commands to create a self-signed personal certificate by using iKeycmd or runmqakm:- Use iKeycmd on UNIX, Linux , and Windows:
runmqckm -cert -create -db filename -pw password -label label -dn distinguished_name -size key_size -x509version version -expire days -sig_alg algorithmInstead of -dn distinguished_name, we can use -san_dsname DNS_names, -san_emailaddr email_addresses, or -san_ipaddr IP_addresses.
- Use runmqakm:
runmqakm -cert -create -db filename -pw password -label label -dn distinguished_name -size key_size -x509version version -expire days -fips -sig_alg algorithm
| -db filename | The fully qualified file name of a CMS key database. |
| -pw password | The password for the CMS key database. |
| -label label | The key label attached to the certificate. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or the IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels, understanding the requirements for details. |
| -dn distinguished_name | The X.500 distinguished name enclosed in double quotation marks. At least one attribute is required. We can supply multiple OU or DC attributes. Note: The iKeycmd and runmqakm tools refer to the postal code attribute as POSTALCODE, not PC. Always specify POSTALCODE in the -dn parameter when we use these certificate management commands to request certificates with a postal code. |
| -size key_size | The key size. For iKeycmd, the value can be 512 or 1024. For runmqakm, the value can be 512, 1024, 2048 or 4096. |
| -x509version version | The version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3. |
| -expire days | The expiration time in days of the certificate. The default is 365 days for a certificate. |
| -fips | Specifies that the command is run in FIPS mode. Only the FIPS ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails. |
| -sig_alg | For runmqakm, the hashing algorithm used during the creation of a self-signed certificate. This hashing algorithm is used to create the signature associated with the newly created self-signed certificate. The value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA. |
| -sig_alg | For iKeycmd, the asymmetric signature algorithm used for the creation of the entry's key pair. The value can be MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithRSA, SHA256_WITH_RSA, SHA256WithRSA, SHA2WithRSA, SHA384_WITH_RSA, SHA384WithRSA, SHA512_WITH_RSA, SHA512WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, or SHAWithRSA. The default value is SHA1WithRSA. |
| -san_dnsname DNS_names | A comma- or space-delimited list of DNS names for the entry being created. |
| -san_emailaddr email_addresses | A comma- or space-delimited list of email addresses for the entry being created. |
| -san_ipaddr IP_addresses | A comma- or space-delimited list of IP addresses for the entry being created. |