| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL CERTIFICATE RENEWAL |
« View previous topic :: View next topic » |
| Author |
Message
|
| dextermbmq |
 Posted: Tue Jan 12, 2016 3:16 pm Post subject: SSL CERTIFICATE RENEWAL |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello All,
We are using a SSL self signed certificate in our Broker Keystore. It had expired 2 days ago so there was an urgent need to renew the certificate. We followed the following approach ::
1-)We created a new JKS repository :
Keytool -genkey -keyalg RSA -alias <ALIAS NAME> -keystore <LOCATION> -validity 3650 -keysize 2048
There after if prompted for CN,OU,O and CK details which I provided. As a result we got a new JKS repos. I replaced the pld JKS with this JKS file(both had same names)...Everything worked fine
Now I have a question :
Can we delete the alias pointing to the expired self signed certificate in the old/existing KEYSTORE and then import the new keystore into old keystore using command
keytool -importkeystore -srckeystore <NEW KEYSTORE> -destkeystore <OLD KEYSTORE> -srcalias <ALIAS NAME IN NEW JKS> -destalias <ALIAS NAME IN OLD JKS> -srcstorepass <> -deststorepass<>
============
NOTE : My concern here is that , IS PRIVATE KEY KEYSTORE SPECIFIC OR WE CAN HAVE MULTIPLE CERTIFICATE CHAINS EACH HAVING DIFFERENT PRIVATE KEY WITHIN A KEYSTORE?
When we create a new keystore , we will have a certificate chain(Certificate + public key) along with Private key identified by an ALIAS...Will it be a problem as the old keystore where we are importing the new certificate chain will already have a PRIVATE KEY and the new certificate chain will have a separate PRIVATE KEY.... |
|
| Back to top |
|
 |
| dextermbmq |
| Posted: Sun Jan 17, 2016 8:06 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello Guys..
Any assistance is greatly appreciated  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jan 18, 2016 6:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So in the time between your first post and your most recent post (at least 5 days!), you did nothing to test this yourself?
Does that seem like a good way to spend your time trying to solve a problem?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Jan 19, 2016 7:22 am Post subject: you did nothing to test this yourself? |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
| As I mentioned earlier the issue was resolved by creating a new keystore. Even with the second approach I specified, I can easily configure it but I am wondering how will I check the SSL configuration. I mean in run time I had applications by developers to test it I can't play around with the environment by disturbing the Keystore. So, thought of checking with experts |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 19, 2016 7:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If you have a procedure to test a new keystore, should the procedure to test a changed keystore be different?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
