Create test certificates
In this scenario, we can create a self-signed certificate which we can use for testing MQIPT routes. This certificate can be used by an MQIPT route to identify itself to a remote peer.
Self-signed certificates can be useful in test scenarios where we must ensure TLS connectivity without paying a Certificate Authority (CA) for a certificate. However, we should not use self-signed certificates in production environments. For certificates for production usage, see Create a key ring file.
Before starting
- Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru.
We can either use the mqiptkeycmd (iKeyman) command-line interface (CLI) or the mqiptkeyman GUI to request the certificate. We should then specify the key ring file that contains the certificate in the SSLServerKeyRing or SSLClientKeyRing MQIPT route property, depending on whether the certificate is for use by inbound or outbound connections.
Procedure
Use one of the following methods to create test certificates:
- Use the command-line interface (CLI)
- Enter the following command to create a new PKCS #12 key ring file:
mqiptKeycmd -keydb -create -db server_name.pfx -pw password -type pkcs12
where:- -db specifies the name of the key ring file (server_name.pfx).
- -pw specifies the key ring password (password) that you must later encrypt using the mqiptPW utility.
- Enter the following command to create a self-signed personal certificate for testing
purposes:
mqiptKeycmd -cert -create -db server_name.pfx -pw password -type pkcs12 -label label -dn DN_identity -sig_alg signature_algorithm -size key_size
where:- -label specifies a unique name of our choice; it is preferable not to include space characters.
- -dn specifies the appropriate Distinguished Name identity for the MQIPT route; for example, "CN=Test Certificate,OU=Sales,O=Example,C=US".
- -sig_alg specifies the hash algorithm; for example, SHA256WithRSA.
- -size specifies the size of the public key; for example, 2048.
If we use the example values given, this command creates a digital certificate with a 2048-bit RSA public key and a digital signature that uses RSA with the SHA-256 hash algorithm.
When creating a certificate, take care to choose an appropriate public key encryption algorithm, key size, and digital signature algorithm for the organization's security needs. See Digital certificate considerations for MQIPT for more information.
- Enter the following command to create a new PKCS #12 key ring file:
- Use the GUI
- Open the GUI by running the following command:
mqiptKeyman
- Click Key database file > New.
- Select the type of the key database; for example, PKCS12.
- Enter the file name and location for the new key ring file. Click OK.
- Enter a password for the new key ring file. Enter the password a second time to confirm. This is the key ring password that we must later encrypt using the mqiptPW utility. Click OK to create the new personal-certificate key ring file.
- Create the new self-signed personal certificate by clicking Create > New Self-Signed Certificate.
- Enter a label for the new certificate in the Key Label field. The label can be any unique name you choose; it is preferable not to include space characters.
- Select the key size and digital signature algorithm as appropriate for the organization's security needs. See Digital certificate considerations for MQIPT for more information.
- Enter the appropriate Distinguished Name identity for the MQIPT route in the optional DN fields, then click OK.
- Open the GUI by running the following command:
What to do next
Encrypt the key ring passwords by issuing the following command:mqiptPWEnter the key ring password to encrypt when prompted. Set the value of the appropriate property in the mqipt.conf configuration file to the encrypted password that is output by the mqiptPW command; for example, SSLServerKeyRingPW or SSLClientKeyRingPW, depending on whether the certificate is for use by inbound or outbound connections. For more information about encrypting key ring passwords, see Encrypting stored passwords to encrypt the key ring passwords. Parent topic: Getting started with IBM MQ Internet Pass-Thru