This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using IKEYMAN GUI. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.
NOTE: Before generating a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate by your Managed PKI for SSL Administrator.
For more information about selecting signature algorithm in ikeyman please refer to the IBM website
NOTE: To generate a CSR using the command line, follow the steps from this link: INFO796
Step 1. Create a Keystore using iKeyman utility
- Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows)
NOTE: To use the iKeyman GUI, be sure that your machine can run the X Windows system
- Open WebSphere MQ Explorer and right-clicking on IBM Websphere MQ
- Select Manage SSL Certificates.
- The tool displays a graphical interface that looks like
- Create the key database file by selecting Key Database File > New.
- Accept the default key database type of CMS.
- Use the default location for the key database, which is <mqroot>\Qmgrs\<qmgrname>\ssl. The default name is key.kdb
- Enter a Location for the location on the hard drive where you want to store the .kdb file.
NOTE: The default location is: C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc,
but you also can provide a different location where you want to store your keystore file.
- Click OK.
- Enter a password and click OK.
Step 2. Generate a Certificate Signing Request
NOTE: All certificates that will expire after December 2013 must have a 2048 bit key size
- From the iKeyman graphical user interface (GUI) click Create
- Click New Certificate Request
- Type the following in the Key Label field: For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase).
For example: ibmwebspheremqmyuserid.
- The Key Size must be at least 2048 bits
- The CSR needs to contain the following attributes:
- Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
- State or Province (S): Enter the full name of your state or province.
Note: Make sure the State or Province is not abbreviated (e.g. California).
- Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
- Organization (O): The full legal name of your company.
- Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
- Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
Please do not enter an email address, challenge password or an optional company name when generating the CSR.
- For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new path name.
- Click OK. When the confirmation window displays, click OK again.
- The file you created contains the CSR
- Verify your CSR
- Proceed with Enrolment
Once the SSL certificate has been issued, follow the steps from this link to install it on the server: INFO285
For more information refer to IBM documentation