This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using command line. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.
NOTE: Before generating a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key. You will have to replace the SSL Certificate and may be charged.
NOTE: SHA-1 Signature Algorithm is the default in GSKit 18.104.22.168 and later. Ikeyman and Ikeycmd (gsk7md) v7 in IHS 6.0.2 and
later support selecting between MD5 and SHA-1 by creating a "ikmuser.properties" in your working directory with a
single line containing just: DEFAULT_SIGNATURE_ALGORITHM=SHA1_WITH_RSA
For more information about selecting signature algorithm in ikeyman please refer to the IBM website
NOTE: To generate a CSR using the IKEYMAN GUI, follow these steps
Step 1. Prepare your system
- Use the gsk7cmd command to create and sign the certificates. Run the gsk7cmd for a full list of the parameters you can use on the command:
- Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
- Ensure that the user's path contains /usr/bin.
- Set the JAVA_HOME environment variable:
a) AIX: export JAVA_HOME =/usr/mqm/ssl/jre
b) HP-UX: export JAVA_HOME =/opt/mqm/ssl
c) Linux: export JAVA_HOME =/opt/mqm/ssl/jre
d) Solaris: export JAVA_HOME =/opt/mqm/ssl
Step 2. Create a Keystore
- Run the following command to create a key repository
gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash
runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash
- -db filename is the fully qualified name of a CMS key database, for example: dbkey.kdb
- -pw password is the password for the CMS key database, with an extension .cms.
- -type cms is the type of database.
- -expire days is the expiration time in days of the database password. The default is 60 days.
- -stash tells iKeycmd to stash the key database password to a file
NOTE: On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary
to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set
to give access only to the user ID from which you used iKeyman or iKeycmd.
Step 3. Generate a CSR
- The CSR needs to contain the following Distinguished Name :
- Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
- State or Province (S): Enter the full name of your state or province.
Note: Make sure the State or Province is not abbreviated (e.g. California).
- Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
- Organization (O): The full legal name of your company.
- Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
- Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
Please do not enter an email address, challenge password or an optional company name when generating the CSR.
- To generate a CSR, run the following command:
gsk7cmd -certreq -create -db -pw -label -dn "CN=>Fully Qualified Domain Names>O=<Company Name>C=<Two Character Country Code>" -size -file
runmqckm -certreq -create -db -pw -label -dn "CN=<Fully Qualified Domain Name>,O=<Company Name>,C=Two Character Country Code>" -size -file
- -db is the fully qualified name of a CMS key database, for example: dbkey.kdb
- -pw is the password for the CMS key database, with an extension .cms.
- -label is the key label attached to the certificate, for example: "ibmwebspheremqqmname"
- -dn is the X.509 distinguished name enclosed in double quotes
- -size is the key size. The value must be 2048 bits.
- -file is the filename for the certificate request, for example: QMNAME_request.arm
- The file you created contains the CSR.
- Verify your CSR
- Proceed with Enrolment
During the verification process, Symantec may need to contact your organization. Be sure to provide an email address,
phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.
Once the SSL certificate has been issued, follow these steps to install it on the server.
For more information refer to IBM documentation