Ask a Question

Advanced Search

Alert ID : INFO266

Last Modified : 04/22/2019

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for IBM WebSphere using the IKEYMAN GUI


This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using IKEYMAN GUI. If you are unable to use these instructions for your server, Symantec recommends that you contact IBM.
NOTE: Before generating a CSR, you first need to create a key pair for your server.  These two items are a digital certificate key pair and cannot be separated.  If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key. You will have to request a new SSL Certificate by your Managed PKI for SSL Administrator.

For more information about selecting  signature algorithm in ikeyman please refer to the IBM website

NOTE: To generate a CSR using the command line, follow the steps from this link: INFO796

Step 1. Create a Keystore using iKeyman utility

  1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows) 
    NOTE: To use the iKeyman GUI, be sure that your machine can run the X Windows system
  2. Open WebSphere MQ Explorer and right-clicking on IBM Websphere MQ
  3. Select Manage SSL Certificates.
  4. The tool displays a graphical interface that looks like

  5. Create the key database file by selecting Key Database File > New.

  6. Accept the default key database type of CMS.
  7. Use the default location for the key database, which is <mqroot>\Qmgrs\<qmgrname>\ssl. The default name is key.kdb

  8. Enter a Location for the location on the hard drive where you want to store the .kdb file.
    NOTE:  The default location is: C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc,
    but you also can provide a different location where you want to store your keystore file. 

  9. Click OK.
  10. Enter a password and click OK.

Step 2.  Generate a Certificate Signing Request

NOTE: All certificates that will expire after December 2013 must have a 2048 bit key size

  1. From the iKeyman graphical user interface (GUI) click Create
  2. Click New Certificate Request
  3. Type the following in the Key Label field: For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase).
    For example:
  4. The Key Size must be at least 2048 bits
  5. The CSR needs to contain the following attributes:
    • Country Name (C): Enter the two-character abbreviation of country in which organization resides (e.g. US).
    • State or Province (S): Enter the full name of your state or province.
      Note: Make sure the State or Province is not abbreviated (e.g. California).
    • Locality or City (L): Usually the city of your organization's main office, or a main office for your organization.
    • Organization (O): The full legal name of your company.
    • Organizational Unit (OU): Use this field to differentiate between divisions within an organization.
    • Common Name (CN): The fully-qualified domain name to which your certificate will be issued.
      Please do not enter an email address, challenge password or an optional company name when generating the CSR.

  6. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new path name.
  7. Click OK. When the confirmation window displays, click OK again.
  8. The file you created contains the CSR
  9. Verify your CSR
  10. Proceed with Enrolment

Once the SSL certificate has been issued, follow the steps from this link to install it on the server: INFO285


          For more information refer to IBM documentation