Having set up web servers using digital certificates I know some components are sensitive to the content of a certificate. For example
- Some web browsers want the IP address in the Alternate Name to match the IP address of the server.
- Some clients check that the server’s certificate has been signed with “server auth” – saying it can be used as a server’s certificate.
The short answer is no, there are no requirements. The longer answer is maybe.
For the chinit
I used the following to define certificate for z/OS.
RACDCERT ID(START1) GENCERT - SUBJECTSDN(CN('CSQ9CERT') - O('ADCD') - OU('TEST')) - SIZE(2048) - RSA - SIGNWITH (CERTAUTH LABEL('ADCD-CA')) -
NOTAFTER( DATE(2021-12-29))- WITHLABEL('CSQ9CERT') RACDCERT id(START1) ALTER(LABEL('CSQ9CERT'))TRUST RACDCERT ID(START1) CONNECT(RING(MQRING) - LABEL('CSQ9CERT') USAGE(PERSONAL))
RACDCERT LISTRING(MQRING) ID(START1) RACDCERT LIST(LABEL('CSQ9CERT' )) ID(START1) SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
Things to be careful about
- Check the NOTAFTER date
- It needs to be TRUST
- The CONNECT of the certificate to the keyring needs USAGE(PERSONAL). It it does not have it you get CSQX645E +cpf CSQXRESP Certificate … missing for channel …
- If the certificate is RSA, or the CA certificate is RSA, then check the keysize of the certificate and the CA. On MQ 9.2 the size needs to be larger than the MinimumRSAKeySize any QM.INI or mqclient.ini file SSL stanza, in any queue manager or client.
For the MQ Web server
Any keyusage from no keysusage to KEYUSAGE( DATAENCRYPT, DOCSIGN, HANDSHAKE) works. Just do not use KEYUSAGE(
With CERTSIGN Chrome gives NET::ERR_CERT_INVALID, and the TLS trace gives BAD_CERTIFICATE or UNKNOWN_CERTIFICATE. See here.