Requesting a personal certificate

Requesting a personal certificate

To apply for a personal certificate, use the iKeyman tool as follows:

Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
From the Key Database File menu, click Open. The Open window displays.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file from which you want to generate the request, for example key.kdb.
Click Open. The Password Prompt window displays.
Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
From the Create menu, click New Certificate Request. The Create New Key and Certificate Request window displays.
In the Key Label field, type:

For a queue manager, ibmwebspheremq followed by the name of your queue manager changed to lower case. For example, for QM1, ibmwebspheremqqm1, or
For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID folded to lower case, for example ibmwebspheremqmyuserid.

Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that we can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.

In the Enter the name of a file in which to store the certificate request field, either accept the default certreq.arm, or type a new value with a full path.
Click OK. A confirmation window displays.
Click OK. The Personal Certificate Requests list shows the label of the new personal certificate request you created. The certificate request is stored in the file you chose in step 11.
Request the new personal certificate either by sending the file to a Certification Authority (CA), or by copying the file into the request form on the Web site for the CA.

Use the following commands to request a personal certificate using IKEYCMD or GSKCapiCmd:
On UNIX:
gsk7cmd -certreq -create -db filename -pw password -label label 
        -dn distinguished_name -size key_size -file filename
On Windows:
runmqckm -certreq -create -db filename -pw password -label label 
        -dn distinguished_name -size key_size -file filename
Using GSKCapiCmd:
gsk7capicmd -certreq -create -db filename -pw password -label label 
        -dn distinguished_name -size key_size -file filename -fips
        -sigalg md5 | sha1 | sha224 | sha256 | sha384 | sha512
where:

-db filename is the fully qualified file name of a CMS key database.
-pw password is the password for the CMS key database.
-label label is the key label attached to the certificate.
-dn distinguished_name
is the X.500 distinguished name enclosed in double quotes. Note that only the CN attribute is required. We can supply multiple OU attributes.
-size key_size is the key size. If you are using IKEYCMD, the value can be 512 or 1024.
If you are using GSKCapiCmd, the value can be 512, 1024, or 2048.
-file filename is the filename for the certificate request.
-fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.
-sigalg The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate request. The value can be md5, sha1, sha224, sha256, sha384, or sha512. The default is sha1.

If you are using cryptographic hardware, refer to Requesting a personal certificate for your PKCS #11 hardware.

Parent topic:
Obtaining personal certificates

sy12270_

-db filename	is the fully qualified file name of a CMS key database.
-pw password	is the password for the CMS key database.
-label label	is the key label attached to the certificate.
-dn distinguished_name	is the X.500 distinguished name enclosed in double quotes. Note that only the CN attribute is required. We can supply multiple OU attributes.
-size key_size	is the key size. If you are using IKEYCMD, the value can be 512 or 1024. If you are using GSKCapiCmd, the value can be 512, 1024, or 2048.
-file filename	is the filename for the certificate request.
-fips	specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails.
-sigalg	The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate request. The value can be md5, sha1, sha224, sha256, sha384, or sha512. The default is sha1.