Digital certificate considerations for MQIPT


Certificate key size considerations for MQIPT

The public key size depends upon your organization's security policy and depends on the encryption algorithm used. In general, larger key sizes are more secure. The following table lists the minimum key sizes that we should use:

Algorithm Minimum key size (bits)
Elliptic Curve 256
RSA 2048
Specify the key size of our certificate when you create a certificate or certificate request.

  • When using the mqiptKeycmd CLI command, the -size parameter specifies the key size.
  • When using the mqiptKeyman GUI, the Key Size field in the Certificate Creation window specifies the key size.


Selecting an appropriate certificate digital signature algorithm

To prevent forgery of digital certificates, it is important to use a strong digital signature algorithm. When you create or request a certificate, take care to select a good algorithm.

You should avoid using old digital signature algorithms based on MD5 or SHA-1 as these algorithms are no longer sufficiently secure for modern usage. If possible, use one of the newer SHA-2 based digital signature algorithms such as SHA-256 with RSA (SHA256WithRSA).

However, versions of MQIPT earlier than Version 2.1 do not support SHA-2 digital signatures, so for interoperability with previous MQIPT releases, use the SHA1WithRSA digital signature algorithm. However, we should plan to upgrade older versions of MQIPT and phase out use of MD5 and SHA-1 digital signatures.

  • When using the mqiptKeycmd CLI command, the -sig_alg parameter specifies the digital signature algorithm.
  • When using mqiptKeyman GUI, the Signature Algorithm field of the Certificate Creation window specifies the digital signature algorithm.


Digital certificate and CipherSuite compatibility in MQIPT

Not all CipherSuites can be used with all digital certificates. There are various types of CipherSuite, grouped by their CipherSuite name prefix. Each type of CipherSuite imposes different restrictions on the type of digital certificate that can be used. These restrictions apply to all MQIPT SSL/TLS connections, but are particularly relevant to users of Elliptic Curve cryptography. When performing the secure socket handshake, MQIPT automatically selects a personal certificate to identify itself that is appropriate for the negotiated CipherSuite. In most cases MQIPT automatically interoperates with the remote peer. However, in certain scenarios you might need to use a specific MQIPT CipherSuite to interoperate with a remote IBM MQ system. The mqiptKeyman application supplied with MQIPT is capable of creating certificates and certificate requests only with DSA and RSA public keys. Additionally, the IBM MQ runmqakm utility can create certificates and certificate requests with Elliptic Curve public keys. Consult your Certificate Authority for advice on creating other types of certificate.

The type of digital certificate to use depends upon the type of CipherSuite we are using:

  • CipherSuites with names that begin SSL_ECDH_ECDSA_ and SSL_ECDHE_ECDSA_ require a digital certificate with an Elliptic Curve public key.
  • CipherSuites with names that contain anon are anonymous; they do not require a digital certificate to identify the remote peer. Such CipherSuites can avoid the overheads of certificate lifecycle management in networks where an alternative means of authentication is used, but in general, avoid their use due to the lack of authentication.
  • Other CipherSuites require a digital certificate with an RSA public key.

Note: The mqiptKeyman and mqiptKeycmd tools are unable to create certificates or certificate requests with an Elliptic Curve public key. We can use the runmqakm command provided with IBM MQ for this purpose. The runmqakm command is described in Use runmqckm, runmqakm, and strmqikm to manage digital certificates. Parent topic: mqiptKeyman and mqiptKeycmd