Receive personal certificates into a key repository on UNIX, Linux, and Windows
Use this procedure to receive a personal certificate into the key database file. The key repository must be the same repository where you created the certificate request.
After the CA sends you a new personal certificate, you add it to the key database file from which you generated the new certificate request . If the CA sends the certificate as part of an email message, copy the certificate into a separate file.
Use strmqiqm
For to manage TLS certificates in a way that is FIPS compliant, use the runmqakm command. strmqiqm does not provide a FIPS-compliant option.
Ensure that the certificate file to be imported has write permission for the current user, and then use the following procedure for either a queue manager or an IBM MQ MQI client to receive a personal certificate into the key database file:
- Start the GUI using the strmqikm command (on Windows UNIX and Linux ).
- From the Key Database File menu, click Open. The Open window opens.
- Click Key database type and select CMS (Certificate Management System).
- Click Browse to navigate to the directory that contains the key database files.
- Select the key database file to which we want to add the certificate, for example key.kdb.
- Click Open, and then click OK. The Password Prompt window opens.
- Type the password you set when you created the key database and click OK. The name of your key database file is displayed in the File Name field. Select the Personal Certificates view.
- Click Receive. The Receive Certificate from a File window opens.
- Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
- Click OK. If you already have a personal certificate in your key database, a window opens, asking if we want to set the key we are adding as the default key in the database.
- Click Yes or No. The Enter a Label window opens.
- Click OK. The Personal Certificates field shows the label of the new personal certificate you added.
Use the command line
To add a personal certificate to a key database file, use either of the following commands:- Use runmqckm:
runmqckm -cert -receive -file filename -db filename -pw password -format ascii
- Use runmqakm:
runmqakm -cert -receive -file filename -db filename -pw password -fips
where:
- -file filename
- Specifies the fully qualified file name of the personal certificate.
- -db filename
- Specifies the fully qualified file name of a CMS key database.
- -pw password
- Specifies the password for the CMS key database.
- -format ascii
- Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for Binary DER data. The default is ascii.
- -fips
- Specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
If we are using cryptographic hardware, refer to Receive a personal certificate into your PKCS #11 hardware.
Parent topic: Work with SSL/TLS on UNIX, Linux, and Windows