[UNIX, Linux, Windows]

Receiving a personal certificate into your PKCS #11 hardware

Use this procedure for either a queue manager or an IBM® MQ MQI client to receive a personal certificate to your cryptographic hardware.

Before you begin

Add the CA certificate of the CA that signed the personal certificate. Add it into either the cryptographic hardware or the secondary CMS key database. Do this before you receive the signed certificate into the cryptographic hardware. To add a CA certificate to a key ring, follow the procedure in Adding a CA certificate, or the public part of a self-signed certificate, into a key repository on UNIX, Linux, and Windows.

Procedure

  • To receive a personal certificate using the strmqikm (iKeyman) user interface, complete the following steps:
    1. Complete the steps to work with your cryptographic hardware. See Managing certificates on PKCS #11 hardware.
    2. Click Receive. The Receive Certificate from a File window opens.
    3. Type the certificate file name and location for the new personal certificate, or click Browse to select the name and location.
    4. Click OK. If you already have a personal certificate in your key database a window opens, asking if you want to set the key you are adding as the default key in the database.
    5. Click Yes or No. The Enter a Label window opens.
    6. Click OK. The Personal Certificates list shows the label of the new personal certificate you added. This label is formed by adding the cryptographic token label before the label you supplied.
  • To receive a personal certificate using the runmqakm (GSKCapiCmd) command, complete the following steps:
    1. Open a command window that is configured for your environment.
    2. Receive the personal certificate by using the runmqakm (GSKCapiCmd) command: 
       runmqakm -cert -receive -file filename -crypto module_name
          -tokenlabel hardware_token -pw hardware_password
          -format cert_format -fips
          -secondaryDB filename -secondaryDBpw password
      where:
      -file filename
      Specifies the fully qualified file name of the file containing the personal certificate.
      -crypto module_name
      Specifies the fully qualified name of the PKCS #11 library supplied with the cryptographic hardware.
      -tokenlabel hardware_token
      Specifies the PKCS #11 cryptographic device token label.
      -pw hardware_password
      Specifies the password for access to the cryptographic hardware.
      -format cert_format
      Specifies the format of the certificate. The value can be ascii for Base64-encoded ASCII or binary for binary DER data. The default is ASCII.
      -fips
      Specifies that the command is run in FIPS mode. When in FIPS mode, the IBM Crypto for C (ICC) component uses algorithms that are FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the runmqakm command fails.
      -secondaryDB filename
      Specifies the fully qualified file name of the CMS key database.
      -secondaryDBpw password
      Specifies the password for the CMS key database.