+

Search Tips | Advanced Search

Requesting a personal certificate on UNIX, Linux, and Windows

We can request a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. For to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.


About this task

We can request a personal certificate using the strmqikm GUI, or from the command line, subject to the following considerations:

  • IBM MQ does not support SHA-3 or SHA-5 algorithms. We can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.
  • The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.
  • Not all digital certificates can be used with all CipherSpecs. Ensure that you request a certificate that is compatible with the CipherSpecs we need to use. IBM MQ supports three different types of CipherSpec. For details, see Interoperability of Elliptic Curve and RSA CipherSpecs in the Digital certificates and CipherSpec compatibility in IBM MQ topic.
  • To use the Type 1 CipherSpecs (with names beginning ECDHE_ECDSA_) we must use the runmqakm command to request the certificate and we must specify an Elliptic Curve ECDSA signature algorithm parameter; for example, -sig_alg EC_ecdsa_with_SHA384.
  • Only the runmqakm command provides a FIPS-compliant option.
  • If we are using cryptographic hardware, see Requesting a personal certificate for the PKCS #11 hardware.

If we are using the:

  • Use the strmqikm user interface
    We can request a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. For to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.
  • Use the command line
    We can request a personal certificate from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands. For to manage SSL or TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows

Last updated: 2020-10-04