Command for CMS or PKCS #12 key databases

We can use the runmqckm, and runmqakm commands to manage keys and certificates for a CMS key database or PKCS #12 key database.

Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

    -keydb -changepw
    Change the password for a key database: 
    -keydb -changepw -db filename -pw password -new_pw 
new_password -expire days

    -keydb -convert
    convert the key database from one format to another: 
    -keydb -convert -db filename -pw password
-old_format cms | pkcs12 -new_format cms

    -keydb -create
    Create a key database: 
    -keydb -create -db filename -pw password -type cms
| pkcs12

    -keydb -delete
    Delete a key database: 
    -keydb -delete -db filename -pw password

    -keydb -list
    List currently-supported types of key database: 
    -keydb -list

    -cert -add
    Add a certificate from a file into a key database: 
    -cert -add -db filename -pw password -label label
-file filename
-format ascii | binary

    -cert -create
    Create a self-signed certificate: 
    -cert -create -db filename -pw password -label label
-dn distinguished_name
-size 1024 | 512 -x509version 3 | 1
| 2
-expire days -sig_alg MD2_WITH_RSA | MD2WithRSA
|
MD5_WITH_RSA | MD5WithRSA
|
SHA1WithDSA | SHA1WithRSA
|
SHA256_WITH_RSA | SHA256WithRSA
|
SHA2WithRSA | SHA384_WITH_RSA
|
SHA384WithRSA | SHA512_WITH_RSA
|
SHA512WithRSA | SHA_WITH_DSA
|
SHA_WITH_RSA | SHAWithDSA
|
SHAWithRSA

    -cert -delete
    Delete a certificate: 
    -cert -delete -db filename -pw password -label label

    -cert -details
    List the detailed information for a specific certificate: 
    -cert -details -db filename -pw password -label label

    -cert -export
    Export a personal certificate and its associated private key from a key database into a PKCS #12 file, or to another key database: 
    -cert -export -db filename -pw password -label label
-type cms | pkcs12
-target filename -target_pw password -target_type 
cms | pkcs12

    -cert -extract
    Extract a certificate from a key database: 
    -cert -extract -db filename -pw password -label label
-target filename
-format ascii | binary

    -cert -import
    Import a personal certificate from a key database: 
    -cert -import -file filename -pw password -type 
pkcs12 -target filename
-target_pw password -target_type cms -label 
label

    The -label option is required and specifies the label of the certificate that is to be imported from the source key database.

    The -new_label option is optional and allows the imported certificate to be given a different label in the target key database from the label in the source database.

    -cert -list
    List all certificates in a key database: 
    -cert -list all | personal | CA
-db filename -pw password

    -cert -receive
    Receive a certificate from a file: 
    -cert -receive -file filename -db filename -pw password

-format ascii | binary -default_cert yes | 
no

    -cert -sign
    Sign a certificate: 
    -cert -sign -db filename -file filename -pw password
-label label -target filename
-format ascii | binary -expire days
-sig_alg MD2_WITH_RSA | MD2WithRSA | MD5_WITH_RSA
|
MD5WithRSA | SHA1WithDSA | SHA1WithRSA
|
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

    -certreq -create
    Create a certificate request: 
    -certreq -create -db filename -pw password
-label label -dn distinguished_name
-size 1024 | 512 -file filename
-sig_alg MD2_WITH_RSA | MD2WithRSA |
MD5_WITH_RSA | MD5WithRSA |
SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

    -certreq -delete
    Delete a certificate request: 
    -certreq -delete -db filename -pw password -label 
label

    -certreq -details
    List the detailed information of a specific certificate request: 
    -certreq -details -db filename -pw password -label 
label

    List the detailed information about a certificate request and show the full certificate request: 

    -certreq -details -showOID -db filename
-pw password -label label

    -certreq -extract
    Extract a certificate request from a certificate request database into a file: 
    -certreq -extract -db filename -pw password
-label label -target filename

    -certreq -list
    List all certificate requests in the certificate request database: 
    -certreq -list -db filename -pw password

    -certreq -recreate
    Re-create a certificate request: 
    -certreq -recreate -db filename -pw password
-label label -target filename