Ask a Question

Advanced Search

Solution ID : SO22408

Last Modified : 05/22/2018

Certificate Signing Request (CSR) Generation Instructions for IBM WebSphere MQ using the IKEYMAN GUI


This document was created to assist with the generation of a Certificate Signing Request (CSR) for IBM WebSphere MQ using the IKEYMAN GUI. If this document can not be used within the environment, RapidSSL recommends contacting an organization that supports WebSphere MQ.  For documentation on generating the CSR using command line, please click here.

NOTE: As of 1/1/2016 all public SSL certificates must be issued as SHA-256 with at least a 2048-bit key size.  Please ensure that the server can support these standards before requesting a certificate.  For information related to selecting a signature algorithm, please click here.


Step 1. Create a Keystore using iKeyman utility

  1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows) 

    NOTE: To use the iKeyman GUI, be sure that your machine can run the X Windows system
  2. Open WebSphere MQ Explorer and right-clicking on IBM Websphere MQ
  3. Select Manage SSL Certificates.

  4. Create the key database file by selecting Key Database File > New

  5. Accept the default key database type of CMS.
  6. Use the default location for the key database, which is

    \Qmgrs\\ssl. The default name is key.kdb

  7. Enter a Location for the location on the hard drive where you want to store the .kdb file.  The default location is: C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc,

  8. Click OK.
  9. Enter a password and click OK.

Step 2.  Generate a Certificate Signing Request

  1. From the iKeyman graphical user interface (GUI) click Create
  2. Click New Certificate Request
  3. Type the following in the Key Label field: For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example: ibmwebspheremqmyuserid.
  4. Select a key size at least 2048.  If the 2048 bit Key Size does not appear in the drop down list, refer to following IBM solution
  5. Enter the CSR details.

    Country Name (C): Use the two-letter ISO code without punctuation for country, for example: US
    State or Province (S): Do not abbreviate the state or province name, for example: California
    Locality or City (L): The Locality field is the city or town name, for example: Mountain View
    Organization (O): Enter the organization name as it is registered.  Avoid special characters.  For example:  Symantec Corporation
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.  For example, Technical Support
    Common Name (CN): The Common Name is the Host + Domain Name. For example, or * for a wildcard.
  6. Enter a file name and path to save the CSR file.
  7. Click OK. When the confirmation window displays, click OK again.
  8. Proceed with Enrolment.

Contact Information

During the verification process, RapidSSL may need to contact your organization.  Be sure to provide an email address, phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

Once the SSL certificate has been issued, refer to this link for installation instructions.


           For more information refer to IBM documentation