How to Generate Certificate Signing Request (CSR) in IBM WebSphere MQ with IKEYMAN


This document provides instructions for generating a Certificate Signing Request (CSR) for IMB Websphere MQ using IKEYMAN GUI. If you are unable to use these instructions for your server, RapidSSL recommends that you contact IBM.

NOTE: Before generating a CSR, you first need to create a key pair for your server.  These two items are a digital certificate key pair and cannot be separated.  If you lose your public/private key file, forget your password, or generate a new key file, your SSL Certificate will no longer match your private key.

NOTE: SHA-1 Signature Algorithm is the default in GSKit and later. Ikeyman and Ikeycmd (gsk7md)
v7 in IHS 6.0.2 and later support selecting between MD5 and SHA-1 by creating a "" in your 
working directory with a single line containing just: DEFAULT_SIGNATURE_ALGORITHM=SHA1_WITH_RSA

For more information about selecting  signature algorithm in ikeyman please refer to the IBM website.

NOTE: To generate a CSR using the command line, follow the steps from this link: Generate CSR with Command Line

Step 1. Create a Keystore using iKeyman utility

1.    Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows) 

       NOTE: To use the iKeyman GUI, be sure that your machine can run the X Windows system

2.    Open WebSphere MQ Explorer and right-clicking on IBM Websphere MQ

3.    Select Manage SSL Certificates.

4.    The tool displays a graphical interface that looks like

5.    Create the key database file by selecting Key Database File > New.

6.    Accept the default key database type of CMS.

7.    Use the default location for the key database, which is <mqroot>\Qmgrs\<qmgrname>\ssl. The default name is key.kdb

8.     Enter a Location for the location on the hard drive where you want to store the .kdb file

NOTE:  The default location is: C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc, but you also can provide a different location where you want to store your keystore file. 

9.     Click OK.

10.    Enter a password and click OK.

Step 2.  Generate a Certificate Signing Request

NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size

1.    From the iKeyman graphical user interface (GUI) click Create

2.    Click New Certificate Request

3.    Type the following in the Key Label field: For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). 

       For example: ibmwebspheremqmyuserid.

4.    The Key Size must be at least 2048 bits

       NOTE: If the 2048 bit Key Size does not appear in the drop down list, refer to following IBM solution

5.    The CSR needs to contain the following attributes :

- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.

- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.

- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.

- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

- Organizational Unit (OU): This field is the name of the department or organization unit making the request.

- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "" or "". 

6.    For Enter the name of a file in which to store the certificate request, either accept the default certreq.arm, or type a new path name.

7.    Click OK. When the confirmation window displays, click OK again.

8.    The file you created contains the CSR.

9.    Proceed with Enrolment.

Contact Information

During the verification process, RapidSSL may need to contact your organization. 

Be sure to provide an email address, phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.


For more information refer to IBM documentation




WarungSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, WarungSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. WarungSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.

Further, WarungSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Geotrust reserves the right to make changes to any information herein without further notice.


We uses cookies to remember and process the items in your shopping cart as well as to compile aggregate data about site traffic and interactions so that we can continue improving your experience on our site.