Creating a self-signed personal certificate

When you create a key database, no personal certificates are provided. However, you need a personal certificate before you can run an SSL channel. A self-signed personal certificate can be used to run SSL channels for the purposes of testing SSL communications. These certificates can be created on either a WebSphere(R) MQ queue manager or WebSphere MQ client system.

Use the following procedure to obtain a self-signed certificate for your queue manager or WebSphere MQ client:

  1. Start the iKeyman GUI using either the gsk7ikm command (on UNIX(R)) or the strmqikm command (on Windows(R)).
  2. From the Key Database File menu, click Open. The Open window displays.
  3. Click Key database type and select CMS (Certificate Management System).
  4. Click Browse to navigate to the directory that contains the key database files.
  5. Select the key database file in which you want to save the certificate, for example key.kdb.
  6. Click Open. The Password Prompt window displays.
  7. Type the password you set when you created the key database and click OK. The name of your key database file displays in the File Name field.
  8. From the Create menu, click New Self-Signed Certificate. The Create New Self-Signed Certificate window displays.
  9. In the Key Label field, type:
  10. Type a Common Name and Organization, and select a Country. For the remaining optional fields, either accept the default values, or type or select new values. Note that you can supply only one name in the Organizational Unit field. For more information about these fields, refer to Distinguished Names.
  11. Click OK. The Personal Certificates list shows the label of the self-signed personal certificate you created.

Use the following commands to create a self-signed personal certificate using iKeycmd:

where:

-db filename is the fully qualified file name of a CMS key database.
-pw password is the password for the CMS key database.
-label label is the key label attached to the certificate.
-dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that only the CN, O, and C attributes are required, and that you can supply only one OU attribute.
-size key_size is the key size. The value can be 512 or 1024.
-x509version version is the version of X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
-expire days is the expiration time in days of the certificate. The default is 365 days for a certificate.