CSR – IBM WebSphere MQ

To generate a CSR, you first need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match your private key. You will have to replace the SSL Certificate and may be charged.

The CSR needs to contain the following attributes:

Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corportation or XY and Z Corportation.
Organizational Unit (OU): This field is the name of the department or organization unit making the request.
Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.

Note: GeoTrust certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because ”www.domain.com” and “secure.domain.com” are different from “domain.com”.

GeoTrust recommends that you contact IBM for additional information.

Generate Keypair and CSR

Step 1: Preparing your system to use the iKeyman utility.

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
    Note: To use the iKeyman GUI, be sure that your machine can run the X Windows system.
  2. Be sure to set the following:
    • Set the DISPLAY environment variable. For example: export DISPLAY=mypc:0.
    • Ensure that the user’s path contains /usr/bin.
    • Set the JAVA_HOME environment variable:

1. AIX: export JAVA_HOME =/usr/mqm/ssl/jre
2. HP-UX: export JAVA_HOME =/opt/mqm/ssl
3. Linux: export JAVA_HOME =/opt/mqm/ssl/jre
4. Solaris: export JAVA_HOME =/opt/mqm/ssl

Step 2: Setting up a key repository.

  1. Open the iKeyman GUI, or use the UNIX or Windows command line to do one of the following:Using the iKeyman GUI:
    Choose New from the Key Database File menu. Click Key database type, and select CMS. Type values for File Nameand Location, and set a password.

    Using iKeycmd (UNIX command line):
    Use these commands:
    gsk7cmd -keydb -create -db filename -pw password -type cms -expire days –stash

    Using iKeycmd (Windows command line):
    Use these commands:
    runmqckm -keydb -create -db filename -pw password -type cms -expire days –stash where:

    • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
    • -pw password is the password for the CMS key database, with an extension .cms.
    • -type cms is the type of database.
    • -expire days is the expiration time in days of the database password. The default is 60 days.
    • -stash tells iKeycmd to stash the key database password to a file.

On Windows, the key database file (.kdb) is created with read permission for all user IDs, so it is not necessary to change permissions. On UNIX, .kdb and .sth files are created. Access permissions for the key database file are set to give access only to the user ID from which you used iKeyman or iKeycmd.

  1. If you are running UNIX, run chmod to give access to an MCA. For example:
    • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.kdb
    • chmod g+r /var/mqm/qmgrs/QM1/ssl/key.sth
  1. If you are running a queue manager, change the key repository location. For example:
    • ALTER QMGR SSLKEYR (’/var/mqm/qmgrs/QM1/ssl/MyKey’)

Step 3: Generating a CSR.

Using the iKeyman GUI

  1. Start the iKeyman graphical user interface (GUI) using either the gsk7ikm command (UNIX) or the strmqikm command (Windows).
  2. In the iKeyman GUI, choose Open from the Key Database File menu. Click Key database type, and select CMS.
  3. Click Browse to navigate to the directory containing the key database files.
  4. Select the appropriate key database file, for example key.kdb.
  5. Click Open.
  6. Type the key database password and click OK.
  7. Click New Certificate Request from the Create menu.
  8. Type the following in the Key Label field:
    • For a queue mananger, ibmwebspheremq followed by the name of your queue manager (in lowercase). For example, for QM1, type ibmwebspheremqqm1.
    • For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example, ibmwebspheremqmyuserid.
  1. Type values for Common NameOrganizationOrganizational UnitCity/LocalityState/Province and select aCountry from the list.
  2. For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new pathname.
  3. Click OK. When the confirmation window displays, click OK again.
  4. The file you created contains the CSR. Submit the CSR to GeoTrust.

Using iKeycmd (command line interface)

  1. To generate a CSR in iKeycmd (using UNIX command line), use these commands:
    • gsk7cmd -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

To generate a CSR in iKeycmd (using Windows command line), use these commands:

    • runmqckm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size-file filename

where:

    • -db filename is the fully qualified name of a CMS key database, with an extension .kdb.
    • -pw password is the password for the CMS key database, with an extension .cms.
    • -label label is the key label attached to the certificate.
    • -dn distinguished_name is the X.500 distinguished name enclosed in double quotes. Note that Common Name,OrganizationOrganizational UnitCity/LocalityState/Province and Country attributes are required.
    • -size key_size is the key size. The value should be 1024 or 2048 for EV certificates.
    • -file filename is the filename for the certificate request.
  1. The file you created contains the CSR. Submit the CSR to GeoTrust.

During the verification process, GeoTrust may need to contact your organization. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.