[AIX, Linux, Windows]

Commands for cryptographic device operations on AIX®, Linux, and Windows

You can use the runmqckm (iKeycmd) and runmqakm commands to manage keys and certificates for cryptographic device operations.

Note: IBM® MQ does not support SHA-3 or SHA-5 algorithms. You can use the digital signature algorithm names SHA384WithRSA and SHA512WithRSA because both algorithms are members of the SHA-2 family.

[Deprecated]The digital signature algorithm names SHA3WithRSA and SHA5WithRSA are deprecated because they are an abbreviated form of SHA384WithRSA and SHA512WithRSA respectively.

-keydb -changepw
Change the password for a cryptographic device:

Using the runmqckm command: 

-keydb -changepw -crypto module_name -tokenlabel token_label
-pw password -new_pw new_password

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux® x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-keydb -changepw -db filename -crypto module_name -tokenlabel  token_label
-pw password -new_pw new_password -fips -strong
-keydb -list
List currently-supported types of key database:

Using the runmqckm command: 

-keydb -list

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-keydb -list -fips
-cert -add
Add a certificate from a file to a cryptographic device:

Using the runmqckm command: 

-cert -add -crypto module_name -tokenlabel token_label -pw password 
-label label -file filename -format ascii | binary

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -add -crypto module_name -tokenlabel token_label -pw password 
-label label -file filename -format ascii | binary -fips
-cert -create
Create a self-signed certificate on a cryptographic device:

Using the runmqckm command: 

-cert -create -crypto module_name -tokenlabel token_label
-pw password -label label -dn distinguished_name
-size 1024 | 512 -x509version 3 | 1 | 2 
-default_cert no | yes -expire days
-sig_alg MD2_WITH_RSA | MD2WithRSA |
MD5_WITH_RSA | MD5WithRSA |
SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -create -crypto module_name -tokenlabel token_label
-pw password -label label -dn distinguished_name
-size 2048 | 1024 | 512 -x509version 3 | 1 | 2
-default_cert no | yes -expire days
-fips -sig_alg md5 | MD5_WITH_RSA | SHA_WITH_DSA |
SHA_WITH_RSA | sha1 | SHA1WithDSA |
SHA1WithECDSA | SHA1WithRSA |
sha224 | SHA224_WITH_RSA |
SHA224WithDSA | SHA224WithECDSA |
SHA224WithRSA | sha256 |
SHA256_WITH_RSA | SHA256WithDSA |
SHA256WithECDSA | SHA256WithRSA |
SHA2WithRSA | sha384 | SHA384_WITH_RSA |
SHA384WithECDSA | SHA384WithRSA |
sha512 | SHA512_WITH_RSA |
SHA512WithECDSA | SHA512WithRSA |
SHAWithDSA | SHAWithRSA |
EC_ecdsa_with_SHA1 | EC_ecdsa_with_SHA224 |
EC_ecdsa_with_SHA256 | EC_ecdsa_with_SHA384 |
EC_ecdsa_with_SHA512
-cert -delete
Delete a certificate on a cryptographic device:

Using the runmqckm command: 

-cert -delete -crypto module_name -tokenlabel token_label -pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -delete -crypto module_name -tokenlabel token_label -pw password -label label -fips
-cert -details
List the detailed information for a specific certificate on a cryptographic device:

Using the runmqckm command: 

-cert -details -crypto module_name -tokenlabel token_label 
-pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -details -crypto module_name -tokenlabel token_label 
-pw password -label label -fips

List the detailed information and show the full certificate for a specific certificate on a cryptographic device:

Using the runmqckm command: 

-cert -details -showOID -crypto module_name -tokenlabel  token_label 
-pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -details -showOID -crypto module_name -tokenlabel  token_label 
-pw password -label label -fips
-cert -extract
Extract a certificate from a key database:

Using the runmqckm command: 

-cert -extract -crypto module_name -tokenlabel token_label -pw password 
-label label -target filename -format ascii | binary

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -extract -crypto module_name -tokenlabel token_label -pw password 
-label label -target filename -format ascii | binary -fips
-cert -import
Import a certificate to a cryptographic device with secondary key database support:

Using the runmqckm command: 

-cert -import -db filename -pw password -label label -type cms
-crypto module_name -tokenlabel token_label -pw  password
-secondaryDB filename -secondaryDBpw password

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -import -db filename -pw password -label label -type cms
-crypto module_name -tokenlabel token_label -pw  password
-secondaryDB filename -secondaryDBpw password -fips

Import a PKCS #12 certificate to a cryptographic device with secondary key database support:

Using the runmqckm command: 

-cert -import -file filename -pw password -type pkcs12
-crypto module_name -tokenlabel token_label -pw  password
-secondaryDB filename -secondaryDBpw password

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -import -file filename -pw password -type pkcs12
-crypto module_name -tokenlabel token_label -pw  password
-secondaryDB filename -secondaryDBpw password -fips
-cert -list
List all certificates on a cryptographic device:

Using the runmqckm command: 

-cert -list all | personal | CA -crypto module_name 
-tokenlabel token_label -pw  password

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -list all | personal | CA -crypto module_name 
-tokenlabel token_label -pw  password -fips
-cert -receive
Receive a certificate from a file to a cryptographic device with secondary key database support:

Using the runmqckm command: 

-cert -receive -file filename -crypto module_name -tokenlabel  token_label
-pw password -default_cert yes | no -secondaryDB filename 
-secondaryDBpw password -format  ascii | binary

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-cert -receive -file filename -crypto module_name -tokenlabel  token_label
-pw password -default_cert yes | no -secondaryDB filename 
-secondaryDBpw password -format  ascii | binary -fips
-certreq -create
Create a certificate request on a cryptographic device:

Using the runmqckm command: 

-certreq -create -crypto module_name -tokenlabel token_label
-pw password -label label -dn distinguished_name
-size 1024 | 512 -file filename
-sig_alg MD2_WITH_RSA | MD2WithRSA | MD5_WITH_RSA |
MD5WithRSA | SHA1WithDSA | SHA1WithRSA |
SHA256_WITH_RSA | SHA256WithRSA |
SHA2WithRSA | SHA384_WITH_RSA |
SHA384WithRSA | SHA512_WITH_RSA |
SHA512WithRSA | SHA_WITH_DSA |
SHA_WITH_RSA | SHAWithDSA |
SHAWithRSA

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -create -crypto module_name -tokenlabel token_label
-pw password -label label -dn distinguished_name
-size 2048 | 1024 | 512 -file filename -fips
-sig_alg md5 | MD5_WITH_RSA | SHA_WITH_DSA |
SHA_WITH_RA | sha1 | SHA1WithDSA |
SHA1WithECDSA | SHA1WithRSA |
sha224 | SHA224_WITH_RSA | SHA224WithDSA |
SHA224WithECDSA | SHA224WithRSA |
sha256 | SHA256_WITH_RSA | SHA256WithDSA |
SHA256WithECDSA | SHA256WithRSA |
SHA2WithRSA | sha384 | SHA384_WITH_RSA |
SHA384WithECDSA | SHA384WithRSA |
sha512 | SHA512_WITH_RSA |
SHA512WithECDSA | SHA512WithRSA |
SHAWithDSA | SHAWithRSA |
EC_ecdsa_with_SHA1 | EC_ecdsa_with_SHA224 |
EC_ecdsa_with_SHA256 | EC_ecdsa_with_SHA384 |
EC_ecdsa_with_SHA512
-certreq -delete
Delete a certificate request from a cryptographic device:

Using the runmqckm command: 

-certreq -delete -crypto module_name -tokenlabel token_label 
-pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -delete -crypto module_name -tokenlabel token_label 
-pw password -label label -fips
-certreq -details
List the detailed information of a specific certificate request on a cryptographic device:

Using the runmqckm command: 

-certreq -details -crypto module_name -tokenlabel token_label 
-pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -details -crypto module_name -tokenlabel token_label 
-pw password -label label -fips

List the detailed information about a certificate request and show the full certificate request on a cryptographic device:

Using the runmqckm command: 

-certreq -details -showOID -crypto module_name -tokenlabel  token_label 
-pw password -label label

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -details -showOID -crypto module_name -tokenlabel  token_label
-pw password -label label -fips
-certreq -extract
Extract a certificate request from a certificate request database on a cryptographic device into a file:

Using the runmqckm command: 

-certreq -extract -crypto module_name -tokenlabel token_label
-pw password -label label -target filename

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -extract -crypto module_name -tokenlabel token_label
-pw password -label label -target filename -fips
-certreq -list
List all certificate requests in the certificate request database on a cryptographic device:

Using the runmqckm command: 

-certreq -list -crypto module_name -tokenlabel token_label
-pw password

If you are using certificates or keys stored on PKCS#11 cryptographic hardware, note that runmqckm and strmqikm are 64-bit programs. External modules required for PKCS#11 support will be loaded into a 64-bit process, therefore you must have a 64-bit PKCS#11 library installed for the administration of cryptographic hardware. The Windows and Linux x86 32-bit platforms are the only exceptions, as the strmqikm and runmqckm programs are 32-bit on those platforms.

Using the runmqakm command: 

-certreq -list -crypto module_name -tokenlabel token_label
-pw password -fips