Certificate Signing Request (CSR) Generation Instructions for IBM WebSphere MQ using the IKEYMAN GUI

Solution ID:    SO22408    Updated:    08/03/2016


This document was created to assist with the generation of a Certificate Signing Request (CSR) for IBM WebSphere MQ using the IKEYMAN GUI. If this document can not be used within the environment, RapidSSL recommends contacting an organization that supports WebSphere MQ.  For documentation on generating the CSR using command line, please click here.

NOTE: As of 1/1/2016 all public SSL certificates must be issued as SHA-256 with at least a 2048-bit key size.  Please ensure that the server can support these standards before requesting a certificate.  For information related to selecting a signature algorithm, please click here.


Step 1. Create a Keystore using iKeyman utility

  1. Start the iKeyman GUI using either the gsk7ikm command (UNIX) or the strmqikm command (Windows) 

    NOTE: To use the iKeyman GUI, be sure that your machine can run the X Windows system
  2. Open WebSphere MQ Explorer and right-clicking on IBM Websphere MQ
  3. Select Manage SSL Certificates.

  4. Create the key database file by selecting Key Database File > New

  5. Accept the default key database type of CMS.
  6. Use the default location for the key database, which is

    \Qmgrs\\ssl. The default name is key.kdb

  7. Enter a Location for the location on the hard drive where you want to store the .kdb file.  The default location is: C:\Program Files\IBM\WebSphere\AppServer\profiles\default\etc,

  8. Click OK.
  9. Enter a password and click OK.

Step 2.  Generate a Certificate Signing Request

  1. From the iKeyman graphical user interface (GUI) click Create
  2. Click New Certificate Request
  3. Type the following in the Key Label field: For a WebSphere MQ client, ibmwebspheremq followed by your logon user ID (in lowercase). For example: ibmwebspheremqmyuserid.
  4. Select a key size at least 2048.  If the 2048 bit Key Size does not appear in the drop down list, refer to following IBM solution
  5. Enter the CSR details.

    Country Name (C): Use the two-letter ISO code without punctuation for country, for example: US
    State or Province (S): Do not abbreviate the state or province name, for example: California
    Locality or City (L): The Locality field is the city or town name, for example: Mountain View
    Organization (O): Enter the organization name as it is registered.  Avoid special characters.  For example:  Symantec Corporation
    Organizational Unit (OU): This field is the name of the department or organization unit making the request.  For example, Technical Support
    Common Name (CN): The Common Name is the Host + Domain Name. For example, www.bbtest.net or *.bbtest.net for a wildcard.
  6. Enter a file name and path to save the CSR file.
  7. Click OK. When the confirmation window displays, click OK again.
  8. Proceed with Enrolment.

Contact Information

During the verification process, RapidSSL may need to contact your organization.  Be sure to provide an email address, phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

Once the SSL certificate has been issued, refer to this link for installation instructions.


           For more information refer to IBM documentation


Legacy ID



RapidSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, RapidSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. RapidSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.  Further, RapidSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. RapidSSL reserves the right to make changes to any information herein without further notice.

Contact Support

US Support:

Order Processing

Technical Support

European Support:

Order Processing

Technical Support

SSL digital certificates sales live chat.

Find Answers

Search Tips