Requesting a personal certificate for the PKCS #11 hardware

Use this procedure for either a queue manager or an IBM MQ MQI client to request a personal certificate for the cryptographic hardware.


About this task

This task describes how we use the strmqiqm user interface to request a personal certificate. If we are using the command line interface, see Use the command line.

Note: IBM MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.


Procedure

To request a personal certificate from the strmqiqm (iKeyman) user interface, complete the following steps:

  1. Complete the steps to work with your cryptographic hardware. See Manage certificates on PKCS #11 hardware.
  2. From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window opens.
  3. In the Key Label field, enter the certificate label. The label is either the value of the CERTLABL attribute, if it is set, or the default ibmwebspheremq with the name of the queue manager or IBM MQ MQI client logon user ID appended, all in lowercase. See Digital certificate labels for details.
  4. Select the Key Size and Signature Algorithm that you require.
  5. Enter values for Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that we can supply only one name in the Organizational Unit field. For more information about these fields, see Distinguished Names.
  6. In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
  7. Click OK. A confirmation window opens.
  8. Click OK. The Personal Certificate Requests list shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 6.
  9. Request the new personal certificate either by sending the file to a certificate authority (CA), or by copying the file into the request form on the website for the CA.

Parent topic: Manage certificates on PKCS #11 hardware