Digital certificate considerations for MQIPT
Certificate key size considerations for MQIPT
The public key size depends upon your organisation's security policy and depends on the encryption algorithm used. In general, larger key sizes are more secure. The following table lists the minimum key sizes that you should use:Specify the key size of your certificate when you create a certificate or certificate request.
Algorithm Minimum key size (bits) Elliptic Curve 256 RSA 2048
- When using the mqiptKeycmd CLI command, the -size parameter specifies the key size.
- When using the mqiptKeyman GUI, the Key Size field in the Certificate Creation window specifies the key size.
Selecting an appropriate certificate digital signature algorithm
To prevent forgery of digital certificates, it is important to use a strong digital signature algorithm. When you create or request a certificate, take care to select a good algorithm.
You should avoid using old digital signature algorithms based on MD5 or SHA-1 as these algorithms are no longer sufficiently secure for modern usage. If possible, use one of the newer SHA-2 based digital signature algorithms such as SHA-256 with RSA (SHA256WithRSA).
However, versions of MQIPT earlier than Version 2.1 do not support SHA-2 digital signatures, so for interoperability with previous MQIPT releases, use the SHA1WithRSA digital signature algorithm. However, you should plan to upgrade older versions of MQIPT and phase out use of MD5 and SHA-1 digital signatures.
- When using the mqiptKeycmd CLI command, the -sig_alg parameter specifies the digital signature algorithm.
- When using mqiptKeyman GUI, the Signature Algorithm field of the Certificate Creation window specifies the digital signature algorithm.
Digital certificate and CipherSuite compatibility in MQIPT
Not all CipherSuites can be used with all digital certificates. There are various types of CipherSuite, grouped by their CipherSuite name prefix. Each type of CipherSuite imposes different restrictions on the type of digital certificate that can be used. These restrictions apply to all MQIPT SSL/TLS connections, but are particularly relevant to users of Elliptic Curve cryptography. When performing the secure socket handshake, MQIPT automatically selects a personal certificate to identify itself that is appropriate for the negotiated CipherSuite. In most cases MQIPT automatically interoperates with the remote peer. However, in certain scenarios you might need to use a specific MQIPT CipherSuite to interoperate with a remote IBM MQ system. The iKeyman application supplied with MQIPT is capable of creating certificates and certificate requests only with DSA and RSA public keys. Additionally, the IBM MQ runmqakm utility can create certificates and certificate requests with Elliptic Curve public keys. Consult your Certificate Authority for advice on creating other types of certificate.
The type of digital certificate to use depends upon the type of CipherSuite you are using:Note: The mqiptKeyman and mqiptKeycmd tools are unable to create certificates or certificate requests with an Elliptic Curve public key. We can use the runmqakm command provided with IBM MQ for this purpose, as documented in the IBM MQ product documentation.
- CipherSuites with names that begin SSL_ECDH_ECDSA_ and SSL_ECDHE_ECDSA_ require a digital certificate with an Elliptic Curve public key.
- CipherSuites with names that contain anon are anonymous; they do not require a digital certificate to identify the remote peer. Such CipherSuites can avoid the overheads of certificate lifecycle management in networks where an alternative means of authentication is used, but in general, avoid their use due to the lack of authentication.
- Other CipherSuites require a digital certificate with an RSA public key.