IBM MQ: Add a server certificate to queue manager without an CSR

At my workplace we request SSL certificates based on the server and not on queue manager. Often are these servers populated with more services than MQ so a CSR from MQ might not be possible. In this case we need to get the certificate and key into the queue manager keystore without an CSR. Here is how we usually do it

Through of of this example I am going to use the ikeycmd program, normally found here: /opt/mqm/java/jre64/jre/bin/ikeycmd in the MQ installation on Linux, and openssl which can be found in most Linux systems. We will call the queue manager MYQM01 in this example.

First we need to create a kdb file to hold our certificates

ikeycmd -keydb -create -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -type cms -stash

db is the path to the queue managers key.kdb file
stash tells ikeycmd to stash the password in a file in the same location as the key.kdb file. This is needed so that MQ later can open the key.kdb file and read its contents

It is now time to add the root cert and all its intermediate certificates (if any). It is important that this is done in the correct order: From root and down to your certificate
Add root cert:

ikeycmd -cert -add -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -label rootca -file DigicertRoot.crt -format ascii

Add ca cert/s:

ikeycmd -cert -add -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit -label intermediateca -file DigiCertCA.crt -format ascii

And now to the magic. There are probably many ways to do this but I found creating a p12 file with the certificate and the key to be the simplest
Create the p12 file

openssl pkcs12 -export -in -inkey -out -name "ibmwebspheremqmyqm01"

Import the p12 into the queue manager keystore

ikeycmd -cert -import -db -pw changeit -target "/var/mqm/qmgrs/MYQM01/ssl/key.kbd"

Now set the the new certificate as default

ikeycmd -cert -setdefault -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -stashed -label "ibmwebspheremqmyqm01"

Make sure the key* files has the correct permissions

chmod 640 key.*

Troubleshooting tips

# List personal and ca certificate in the kbd file 
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -list personal -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -list ca -db "/var/mqm/qmgrs/MYQM01/ssl/key.kbd" -pw changeit

# List default all signers for this installation
/opt/mqm/java/jre64/jre/bin/ikeycmd -cert -listsigners

# Check that a certificate is presented on connect
openssl s_client -connect

Tested on MQ, Red Hat Linux 7.5 and OpenSSL 1.0.2k-fips

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.