The tools provided in the ES03 SupportPac enable a mini-certificate issuance service administrator to authorize mini-certificate issuance to an entity by registering its entity name and registered address and defining a one-time-use certificate request PIN. This would normally be done after off line checking to validate the authenticity of the requestor. The certificate request PIN can be posted to the intended user, as bank card PINs are posted when a new card is issued. The user of the private registry (for example the MQe application or MQe queue manager) can then be configured to provide this certificate request PIN at startup time. When the private registry triggers auto-registration, the mini-certificate issuance service validates the resulting new certificate request , issues the new mini-certificate and then resets the registered certificate request PIN so it cannot be reused. All auto-registration of new mini-certificate requests is processed on a secure channel.
We recommend that you refer to the MQe_MiniCertificateServer documentation included in the ES03 SupportPac, "MQe WTLS Mini-Certificate Server", for more details of how to install and use the WTLS digital certificate issuance service for MQe.