Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains

This section deals with ensuring that complete certificate chains exist in the WebSphere® MQ certificate store. This should be completed before installing WebSphere MQ Version 6.0.

WebSphere MQ Version 6.0 uses the Global Security Toolkit (GSKit) to manage SSL certificates. Before installing WebSphere MQ Version 6.0 you must ensure that all WebSphere MQ certificate stores contain complete certificate chains.

In Step 2: Migrating SSL certificates to Global Security Toolkit key database files, it gives guidance on migrating certificates used by WebSphere MQ Version 5.3 queue managers and WebSphere MQ clients into key database files for use with Global Security Toolkit.

As an alternative to Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains and Step 2: Migrating SSL certificates to Global Security Toolkit key database files, you can manually configure a key database for each queue manager and WebSphere MQ client and import SSL certificates directly into it without migrating them. See 'Working with the Secure Sockets Layer (SSL) on UNIX® and Windows® systems' in the WebSphere MQ Version 6.0 Security book for details of how to do this. You will still need to complete Step 3: Ensuring Certificate Revocation Lists are in the correct format and Step 4: Ensuring SSLPEER values have correctly ordered OU entries.

The following sections give the background and necessary steps for "Ensuring WebSphere MQ certificate stores contain complete certificate chains":