Ask a Question

Advanced Search

Alert ID : INFO222

Last Modified : 05/03/2018

Certificate Signing Request (CSR) Generation Instructions for IBM WebSphere MQ using command line


This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using command line. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.
NOTE: Before generating a CSR, you first need to create a key pair for your server.  These two items are a digital certificate key pair and cannot be separated.  If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key. You will have to replace the SSL Certificate and may be charged.

NOTE: SHA-1 Signature Algorithm is the default in GSKit and later. Ikeyman and Ikeycmd (gsk7md) v7 in IHS 6.0.2 and 
later support selecting between MD5 and SHA-1 by creating a "" in your working directory with a 
single line containing just: DEFAULT_SIGNATURE_ALGORITHM=SHA1_WITH_RSA

For more information about selecting  signature algorithm in ikeyman please refer to the IBM website

NOTE: To generate a CSR using the IKEYMAN GUI, follow these steps

Step 1. Prepare your system

  1. Use the gsk7cmd command to create and sign the certificates. Run the gsk7cmd for a full list of the parameters you can use on the command:

    For Linux:


    For  Windows:

    C:\Program Files\IBM\gsk7\bin\gsk7cmd
  2. Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
  • Ensure that the user's path contains /usr/bin.
  • Set the JAVA_HOME environment variable: 

                          a) AIX: export JAVA_HOME =/usr/mqm/ssl/jre 
                          b) HP-UX: export JAVA_HOME =/opt/mqm/ssl 
                          c) Linux: export JAVA_HOME =/opt/mqm/ssl/jre 
                          d) Solaris: export JAVA_HOME =/opt/mqm/ssl

Step 2. Create a Keystore

  1. Run the following command to create a key repository

    For Unix:

    gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash 

    For Windows

    runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash
  • -db filename is the fully qualified name of a CMS key database, for example: dbkey.kdb 
  • -pw password is the password for the CMS key database, with an extension .cms.
  • -type cms is the type of database.
  • -expire days is the expiration time in days of the database password. The default is 60 days.
  • -stash tells iKeycmd to stash the key database password to a file

           NOTE: On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary
           to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set
           to give access only to the user ID from which you used iKeyman or iKeycmd.

Step 3. Generate a CSR

  1. The CSR needs to contain the following Distinguished Name :
    • Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
    • State or Province (S): Enter the full name of your state or province.
      Note: Make sure the State or Province is not abbreviated (e.g. California).
    • Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
    • Organization (O): The full legal name of your company.
    • Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
    • Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
      Please do not enter an email address, challenge password or an optional company name when generating the CSR.

  2. To generate a CSR, run the following command:

    For Unix:

    gsk7cmd -certreq -create -db -pw -label -dn "CN=>Fully Qualified Domain Names>O=<Company Name>C=<Two Character Country Code>" -size -file

    For Windows:

    runmqckm -certreq -create -db -pw -label -dn "CN=<Fully Qualified Domain Name>,O=<Company Name>,C=Two Character Country Code>" -size -file 
  • -db is the fully qualified name of a CMS key database, for example: dbkey.kdb
  • -pw is the password for the CMS key database, with an extension .cms.
  • -label is the key label attached to the certificate, for example: "ibmwebspheremqqmname"
  • -dn is the X.509 distinguished name enclosed in double quotes
  • -size is the key size. The value must be 2048 bits.
  • -file is the filename for the certificate request, for example: QMNAME_request.arm
  1. The file you created contains the CSR.
  2. Verify your CSR
  3. Proceed with Enrolment 

Contact Information

         During the verification process, Symantec may need to contact your organization. Be sure to provide an email address, 
         phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

Once the SSL certificate has been issued, follow these steps to install it on the server.


         For more information refer to IBM documentation