+

Search Tips | Advanced Search

Use the command line

We can create a personal certificate from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. If you need to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.


About this task


Procedure

Create a self-signed personal certificate by using either the runmqckm or runmqakm (GSKCapiCmd) command.

  • Use runmqckm on UNIX, Linux, and Windows: 
    runmqckm -cert -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -x509version version -expire days
 -sig_alg algorithm

    Instead of -dn distinguished_name, we can use -san_dsname DNS_names, -san_emailaddr email_addresses, or -san_ipaddr IP_addresses.

  • Use runmqaqm: 
    runmqakm -cert -create -db filename -pw 
password -label label
        -dn distinguished_name -size key_size
 -x509version version -expire days

        -fips -sig_alg algorithm

where:

    -db filename
    Specifies the fully qualified file name of a CMS key database.

    -pw password
    Specifies the password for the CMS key database.

    -label label
    Specifies the key label attached to the certificate. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or the IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels, understanding the requirements for details.

    -dn distinguished_name
    Specifies the X.500 distinguished name enclosed in double quotation marks. At least one attribute is required. We can supply multiple OU and DC attributes. Note: The runmqckm and runmqakm tools refer to the postal code attribute as POSTALCODE, not PC. Always specify POSTALCODE in the -dn parameter when we use these certificate management commands to request certificates with a postal code.

    -size key_size
    Specifies the key size. If we are using runmqckm, the value can be 512 or 1024. If we are using runmqakm, the value can be 512, 1024, or 2048.

    x509version version
    The version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.

    -file filename
    Specifies the file name for the certificate request.

    -expire days
    The expiration time in days of the certificate. The default is 365 days for a certificate.

    -fips
    Specifies that the command is run in FIPS mode. Only the FIPS ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqaqm command fails.

    -sig_alg
    For runmqckm, specifies the asymmetric signature algorithm used for the creation of the entry's key pair. The value can be, MD2_WITH_RSA, MD2WithRSA, MD5_WITH_RSA, MD5WithRSA, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, SHA2/ECDSA, SHA224WithECDSA, SHA256_WITH_RSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithECDSA, SHA3/ECDSA, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, SHA3WithECDSA, SHA5/ECDSA, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHA5WithECDSA, SHA_WITH_DSA, SHA_WITH_RSA, SHAWithDSA, SHAWithRSA. The default value is SHA1WithRSA.

    -sig_alg
    For runmqakm, specifies the hashing algorithm used during the creation of a certificate request. This hashing algorithm is used to create the signature associated with the newly created certificate request. The value can be md5, MD5_WITH_RSA, MD5WithRSA, SHA_WITH_DSA, SHA_WITH_RSA, sha1, SHA1WithDSA, SHA1WithECDSA, SHA1WithRSA, sha224, SHA224_WITH_RSA, SHA224WithDSA, SHA224WithECDSA, SHA224WithRSA, sha256, SHA256_WITH_RSA, SHA256WithDSA, SHA256WithECDSA, SHA256WithRSA, SHA2WithRSA, sha384, SHA384_WITH_RSA, SHA384WithECDSA, SHA384WithRSA, sha512, SHA512_WITH_RSA, SHA512WithECDSA, SHA512WithRSA, SHAWithDSA, SHAWithRSA, EC_ecdsa_with_SHA1, EC_ecdsa_with_SHA224, EC_ecdsa_with_SHA256, EC_ecdsa_with_SHA384, or EC_ecdsa_with_SHA512. The default value is SHA1WithRSA.

    -san_dnsname DNS_names
    Specifies a comma-delimited or space-delimited list of DNS names for the entry being created.

    -san_emailaddr email_addresses
    Specifies a comma-delimited or space-delimited list of email addresses for the entry being created.

    -san_ipaddr IP_addresses
    Specifies a comma-delimited or space-delimited list of IP addresses for the entry being created.


What to do next

Submit a certificate request to a CA. See Receive personal certificates into a key repository on UNIX, Linux, and Windows for further information.

Parent topic: Create a self-signed personal certificate on UNIX, Linux, and Windows

Last updated: 2020-10-04