Question & Answer
Question
This document is intended to help with IBM MQ certificate management. It lists some of the most common commands needed to do basic certificate management tasks.
In IBM MQ you can performed such tasks through the IBM Key Management GUI (iKeyman) or through the command line using runmqckm and runmqakm commands.
This document provides examples for certificate management using the command line. There is a corresponding link to the IBM MQ documentation to perform the same task using iKeyman.
In IBM MQ you can performed such tasks through the IBM Key Management GUI (iKeyman) or through the command line using runmqckm and runmqakm commands.
This document provides examples for certificate management using the command line. There is a corresponding link to the IBM MQ documentation to perform the same task using iKeyman.
Many of the procedures discussed here, can be found in the IBM MQ Product knowledgecenter, see:
Cause
- How to check a certificate expiration?
- How to list the content of a MQ keystore?
- How to view the content of a certificate?
- How to (process) create a certificate signing request (CSR) and to receive a CA signed personal certificate?
- How to renew an existing certificate before it expires?
- How to rename a certificate?
- How to export and import a personal certificate?
- How to check/verify that you have a personal certificate for your queue manager or client?
- How to tell if the certificate has OCSP/CRL validation?
- How to combine public certifcate and private key into PKCS12 file
Answer
How to check a certificate expiration?
The following command will list the certificates that are about to expire based on a number of days.
- runmqakm -cert -list -db <keyfile.kdb> -pw <password> -expiry xx
Note: expiry - correspond to a number of days
For example, the following command will display the certificates that are about to expire within 90 days from today:
runmqakm -cert -list -db key.kdb -pw password -expiry 90
For MQ Appliance, you can automate checking for certificate expiration with the Certificate Monitor feature, see:
Certificate Monitor
How to list the content of a MQ kesytore?
A MQ keystore contains the queue manager personal certificate and CA Signer Certificates (root, intermediate). If any of this CA Signer Certificates is missing, the validation fo the personal certificate will fail.
To check what is the content of the keystore run the following command:
- runmqakm -cert -list -db <keyfile.kdb> -pw <password>
This command will list ALL the certificates contained if the MQ keystore.
For MQ Appliance, you would use the 'listcert' command, see:
How to view the content of a certificate?
To view the content run the following command:
- runmqakm -cert -details -label <cert_label> -db <keyfile.kdb> -pw <password>
For MQ Appliance, you would use the 'detailcert' command, see:
How to (process) create a certificate signing request (CSR) and to receive a CA signed personal certificate?
The general steps are:
- Create the queue manager keystore if none exists.
- Create the CSR, and and send it to the CA.
- Receive the CA signed personal certificate requested sent by the CA into the keystore
- Add CA Singer Certificates (Intermediates and Root) into the keystore. Note: This a mandatory step for certificate validation. For more details see the following technote:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q009880_.htm
How certificate chains work
How certificate chains work
Example commands to run:
a) Create Keystore for the queue manager
- runmqakm -keydb -create -db <keyfile.kdb> -type cms -pw <password> -stash
b) Create a Certificate Signing request (CSR) for the queue manager
- runmqakm -certreq -create -db <keyfile.kdb> -pw <password> -label <cert_Label> -dn <distinguished_name> -size <key_size> -file <filename> -sig_alg <algorithm>
c) Verify that the certificate requests was created by listing it:
- runmqakm -certreq -list -db <keyfile.kdb> -stashed
d) Send the CSR to your CA to be signed.
e) The CA sends back the signed certificate and CA Signers Certificates (root, intermediate)
f) Add the CA Signers Certificates to the keystore:
- runmqakm -cert -add -db <keyfile.kdb> -stashed -label <cert_label> -file <ca_filename>
Note: It is important to add ALL the CA signed certificates in the chain for certificate validation.
Be careful NOT to add the actual signed certificate file to the keystore, as runmqakm -cert -add
Be careful NOT to add the actual signed certificate file to the keystore, as runmqakm -cert -add
only adds the public key part of the certificate, resulting in a signer/trusted certificate.
g) Receive the CA signed certificate with the following command:
- runmqakm -cert -receive -file <filename> -db <keyfile.kdb> -stashed
Note: <filename> is the file sent by the CA with the personal signed certificate.
h) List the content of the keystore to make sure the certificates, personal and signers, where added to the keystore:
- runmqakm -cert -list -db <filename> -stashed
How to renew an existing certificate before it expires?
If you want to renew an existing certificate that is about to expire, you can do the following:
Note: It is recommended to take a back up of the keystore.
a) Recreate a CSR of the existing certificate:
- runmqakm -certreq -recreate -db <keyfile.kdb> -pw <password> -label <label> -target <filename>
Note: target - corresponds to destination file to which the certificate request will be recreated.
b) Send the certificate renewal request to the CA
c) The CA will send the signed certificate and CA Signers.
d) Add the CA Signer Certificates to the keystore.
- runmqakm -cert -add -db <keyfile.kdb> -stashed -label <cert_label> -file <ca_filename>
e) Receive the signed personal certificate into the keystore:
- runmqakm -cert -receive -file <filename> -db <keyfile.kdb> -pw <password>
f) Refresh the content of the MQ keystore to pick up the new changes:
- runmqsc QMGR_NAME
- REFRESH SECURITY TYPE(SSL)
For additional information see the following documents:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012790_.htm
KC: Renewing an existing personal certificate on UNIX, Linux, and Windows
https://www.ibm.com/mysupport/s/question/0D50z00005phsz1CAA/how-to-renew-websphere-mq-ssl-certificates?language=en_US
How to renew WebSphere MQ SSL Certificates
How to rename a certificate?
One way to renew the certificate would be using the following command:
- runmqakm -cert -rename -db <keyfile.kdb> -pw <password> -label <label> -new_label <newLabel>
Also see the following article:
https://www.ibm.com/support/pages/node/6326879
In MQ, how do you rename the certificate label if the label name is incorrect?
In MQ, how do you rename the certificate label if the label name is incorrect?
How to export and import a personal certificate?
Caution: Exporting a personal certificate means that it will contained the full personal certificate, it will contained its private and public Key.
To Export a personal certificate use the following command:
- runmqakm -cert -export -db <keyfile.kdb> -pw <password> -label <label> -type <cms> -target <filename> -target_pw <password> -target_type <kdb>
Note:
target - is the name of the file where the certificate will be saved.
target_pw - is the password for file where the certificate is saved. This is used when importing the certificate.
target_type - is the type of certificate
target_pw - is the password for file where the certificate is saved. This is used when importing the certificate.
target_type - is the type of certificate
To import a personal certificate, use the following command:
- runmqakm -cert -import -file <filename> -pw <password> -type <kdb> -target <filename> -target_pw <password> -target_type <cms> -label <labelName>
Note:
file - is the name of the file where the certificate was saved (in the Export command)
target - is the name of the keystore file where the certificate will be import to.
target_pw - is the password of the keystore
target - is the name of the keystore file where the certificate will be import to.
target_pw - is the password of the keystore
Check that the certificate was added properly into the keystore by listing the certificates:
- runmqakm -cert -list -db <filename> -stashed
For MQ Appliance: There is no command to export or import a personal certificate into the MQ appliance, but there is a workaround using the MQ Appliance keybackup/keyrestore commands, see:
How to Import Certificates on IBM MQ Appliance
How to check/verify that you have a personal certificate for your queue manager or client?
You can do this in several ways:
a) You can verify if a personal certificate exist by running the following command:
- runmqakm -cert -list -db <keyfile.kdb> -pw <password>
Note: A personal certificate is marked with a (-) dash symbol. A trusted certificate is marked with a (!) exclamation sign.
Example:
b) Using the runmqckm command:
runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! ibmwebspheremqperez
- ibmwebspheremqssl1
b) Using the runmqckm command:
- runmqckm -cert- list personal -db <file.kdb> -pw <password>
C) From the Key Management GUI (iKeyman)
- Open keystore file -> From the drop down menu select "Personal Certificates"
IBM MQ Personal and CA Certificates Explained And How To Identify Them
How to tell if the certificate has OCSP/CRL validation?
MQ automatically does OCSP/CRL validation based on the contents of the actual certificates.
This checking occurs by default if your certificates or the Certificate Authority (CA) root/intermediate certificates have an AuthorityInfoAccess extension.
Most CA certificates have this extension.
Most CA certificates have this extension.
To verify if this extension is present, list the certificate details:
- runmqakm -cert -details -label <cert_label> -db <filename> -stashed
See the following article for more details.
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q135040_.htm
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q135040_.htm
How does the OCSP/CRL checking work in IBM MQ?
How to combine public certificate and private key into PKCS12 file
Sometimes you may have your public certificate and private key sent in one combined file or in two separate files. To import them into MQ they will need to be in one pkcs12 file. If your certificate and key come in separate files you can skip the Split Certificate/Key in Text Editor step.
Split Certificate/Key in Text Editor:
If your certificate and key are in separate files you can split them in a text editor into two files.
The certificate will have delimiters at the start and end of the certificate. Include these in your new certificate file.
Certificate Delimiter Example: -----BEGIN CERTIFICATE----- <CERTIFICATE> -----END CERTIFICATE-----
Name the cert exampleCert.crt for clarity.
The private key will also have delimiters surrounding the key. Include these in the new private key file.
Private Key Delimiter Example: -----BEGIN PRIVATE KEY-----<PRIVATE KEY> -----END PRIVATE KEY-----
Name the cert exampleCert.key for clarity.
OpenSSL On Linux/AIX:
Using the "OpenSSL pkcs12 -export" command you can combine the certificate and the private key. The usage is:
openssl pkcs12 -export -out [OutputCertificate] -inkey [InputPrivateKey]-in [InputCertificate]
certutil on Windows:
certutil is a built in utility in Windows. It requires your certificate and private key have the same file names with different extensions. The command usage is:
certutil -mergepfx [InputCertificate] [OutputCertificate]
The private key's file name is inferred by the command. In our example pictured because our certificate is exampleCert.crt certutil will look for an exampleCert.key to merge.
++ Additional Information:
tags: "MQ SSL"; "MQ TLS"; MQSSL; MQTLS
tags: "MQ SSL"; "MQ TLS"; MQSSL; MQTLS
+++ end +++
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008JwAAI","label":"Security-\u003ETLS (SSL)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
26 October 2023
UID
ibm16382940