I have set the KeyStore to *User to get the certificate from the windows certificate store.The Mq Client application is trying to find the certificate using the label name as shown in the log from the client Trace. I tried setting the CertificateLabel from the client.ini and code but it is not overriding the value.

How should i change that? Even if i can override how can i change the label of the certificate which i directly imported into my certificate store?

Please Help

000001B6 12:23:39.868134 4236.8 Created store object to access certificates 
000001B7 12:23:39.868134 4236.8 Opened store 
000001B8 12:23:39.868134 4236.8 Accessing certificate - **ibmwebspheremq(username)** 


How should i change the lable in the certificate store for the existing certificate 

And then it throws the below exception 

000001B9 12:23:39.868134 4236.8 TLS12 supported - True 
000001BA 12:23:39.868134 4236.8 Setting SslProtol as Tls 
000001BB 12:23:39.868134 4236.8 Starting SSL Authentication 
000001BC 12:23:39.868134 4236.8 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) 
000001BD 12:23:39.868134 4236.8 Client callback has been invoked to find client certificate 
000001BE 12:23:39.868134 4236.8 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK 
000001BF 12:23:40.507601 4236.8 System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

I've just finished battling this exact same problem, with MQ v.8, over the last 2 days and found Shashi's link to be helpful, but it didn't completely solve my problem. In addition to the instructions on that link, you need to make sure that the "Friendly name" of the certificate in the store is compliant with the MQ certificate label naming convention i.e. ibmwebspheremqlogonuserID.

For example, let's say you're currently logged in and your logon ID is jdoe. When you run your MQ client, the MQ client libraries will look for a certificate with a friendly name matching ibmwebspheremqjdoe. Finally, I only needed to add the following two properties to connect successfully:

properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");

Bear in mind that I installed the CA-signed certificate into the "Local computer" key store and not the user keystore. That's why I specified *SYSTEM in the SSL_CERT_STORE_PROPERTY.

Here are all of the properties I used:

properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");