MQ

I’m new to IBM MQ (with prior experience on RabbitMQ) and I’m struggling to establish a secure connection from a Dockerized .NET app on Linux. Any guidance would be greatly appreciated.

Environment

• Client: .NET 8, IBM XMS (managed) library, running in Linux Docker container

• Auth mode: Server‑authenticated TLS (one‑way TLS) + USERID/PASSWORD

• Certificates: Root + Intermediate provided .pem -> converted it to the crt -> As it is server side SSL and I didn't had private key , I didn't go for .p12 format

• Server: IBM MQ (SVRCONN channel with TLS enabled)

What works

1. Python client connects successfully over server‑only TLS using a .kdb and username/password.

What fails
2)  .NET (IBM XMS managed) client consistently returns MQRC_SSL_INITIALIZATION_ERROR (2393).

What I understand

The managed .NET client relies on the OS certificate store (OpenSSL on Linux), unlike Python/Java that can use a client-side keystore file.

What I tried

• Method 1 (OS trust): Install root/intermediate .crt into the container’s trust store (visible under /etc/ssl/certs/), then update trust.

Method 2 (.NET import): Import certificates via X509Store at runtime into CurrentUser\My (confirmed entries are present).

Method 1 we can see the certificates moved to the ‘/etc/ssl/certs/’ folder, and via method 2 we can see the certs are loaded in the keystore as via .NET:

• Also attempted setting extended SSL properties in XMS; no change in behavior.

Pain point
The error is generic. I am  not getting actionable details to pinpoint certificate validation vs. hostname/SAN vs. cipher mismatch vs. store location

What I need is

• Proper location/approach for CA/chain on Linux w/ XMS managed client?

• How to verify the app is using those certs (diagnostics)?

• Minimal, known‑good .NET 8 + XMS TLS sample (server‑auth only).