+

Search Tips | Advanced Search

Receive a personal certificate into your PKCS #11 hardware

Use this procedure for either a queue manager or an IBM MQ MQI client to receive a personal certificate to your cryptographic hardware.


Before starting

Add the CA certificate of the CA that signed the personal certificate. Add it into either the cryptographic hardware or the secondary CMS key database. Do this before you receive the signed certificate into the cryptographic hardware. To add a CA certificate to a key ring, follow the procedure in Adding a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows.


Procedure

  • To receive a personal certificate using the strmqiqm (iKeyman) user interface, complete the following steps:
    1. Complete the steps to work with your cryptographic hardware. See Manage certificates on PKCS #11 hardware.
    2. Click Receive. The Receive Certificate from a File window opens.
    3. Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
    4. Click OK. If you already have a personal certificate in your key database a window opens, asking if we want to set the key we are adding as the default key in the database.
    5. Click Yes or No. The Enter a Label window opens.
    6. Click OK. The Personal Certificates list shows the label of the new personal certificate you added. This label is formed by adding the cryptographic token label before the label you supplied.

  • To receive a personal certificate using the runmqakm (GSKCapiCmd) command, complete the following steps:
    1. Open a command window that is configured for the environment.
    2. Receive the personal certificate by using the runmqakm (GSKCapiCmd) command: 
       runmqakm -cert -receive -file filename -crypto module_name
          -tokenlabel hardware_token -pw hardware_password
          -format cert_format -fips
          -secondaryDB filename -secondaryDBpw password
      where:

        -file filename
        Specifies the fully qualified file name of the file containing the personal certificate.

        -crypto module_name
        Specifies the fully qualified name of the PKCS #11 library supplied with the cryptographic hardware.

        -tokenlabel hardware_token
        Specifies the PKCS #11 cryptographic device token label.

        -pw hardware_password
        Specifies the password for access to the cryptographic hardware.

        -format cert_format
        Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for binary DER data. The default is ASCII.

        -fips
        Specifies that the command is run in FIPS mode. When in FIPS mode, the ICC component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.

        -secondaryDB filename
        Specifies the fully qualified file name of the CMS key database.

        -secondaryDBpw password
        Specifies the password for the CMS key database.

Parent topic: Manage certificates on PKCS #11 hardware

Last updated: 2020-10-04