Create a self-signed personal certificate on UNIX, Linux, and Windows
We can create a self-signed certificate by using the strmqikm (iKeyman) GUI, or from the command line using runmqckm (iKeycmd) or runmqakm (GSKCapiCmd).
Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
For more information about why you might want to use self-signed certificates, see Use self-signed certificates for mutual authentication of two queue managers.
Not all digital certificates can be used with all CipherSpecs. Ensure that you create a certificate that is compatible with the CipherSpecs we need to use. IBM MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM MQ topic.
To use the Type 1 CipherSpecs (those with names beginning ECDHE_ECDSA_) we must use the runmqakm command to create the certificate and we must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384.
If we are using the:- GUI, see Use the strmqikm user interface
- Command line, see Use the command line
- Use the strmqikm user interface
We can create a personal certificate by using the strmqikm (iKeyman) GUI. - Use the command line
We can create a personal certificate from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. For to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows