ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » How to renew expiring self-signed SSL cert?

Post new topic  Reply to topic
 How to renew expiring self-signed SSL cert? « View previous topic :: View next topic » 
Author Message
zhanghz
PostPosted: Sun Nov 02, 2008 10:43 pm    Post subject: How to renew expiring self-signed SSL cert? Reply with quote

Disciple

Joined: 17 Jun 2008
Posts: 186
Hi guys, can share with me how you usually do SSL renewal for MQ? I want to see whether my approach is correct or appropriate.

Here is my scenario:
I have a z/OS QMGR (ZOS), connected to a AIX QMGR (AIX). The self-signed certs on AIX is to expire soon. ZOS cert is not expiring yet.

What I have in mind is:
on a scheduled downtime for both ZOS and AIX, AIX will renew cert, extract the new cert and send to me. I will delete existing, expiring cert on ZOS, import new cert I have received from AIX into ZOS.

Is this the correct way to renew a self-signed cert? If not, what should be the correct way?

And, how should AIX renew their cert. Can share with me the steps or point me to some references?

Thanks.
Back to top
View user's profile Send private message
gs
PostPosted: Mon Nov 03, 2008 7:59 am    Post subject: Reply with quote

Master

Joined: 31 May 2007
Posts: 254
Location: Sweden
Yes, that's how I'd do it in your setup.
To renew a certificate, you'll have to recreate it.

If you use a lot of self-signed certificates in your organization, I'd advise you to use a ca cert to sign all qmgr certificates. This to minimize the need of copying the individual public certificates to every keystore.
Back to top
View user's profile Send private message
zhanghz
PostPosted: Mon Nov 03, 2008 10:08 pm    Post subject: Reply with quote

Disciple

Joined: 17 Jun 2008
Posts: 186
Thanks gs.

So it's correct that I delete expring AIX cert on ZOS qmgr and re-import new AIX cert overwriting its existing label on ZOS qmgr..

I actually have another method, a little untidy: AIX will create a new cert (but not effective yet in AIX's own qmgr) prior to expiration and send it to me, I import and connect it to ZOS keyring using a different label. Then I don't have to do anything on ZOS even when AIX effective its new cert on AIX side.

The 2nd method will leave 2 AIX certs in ZOS keyring. Kind of untidy. But of couse I can delete the old expired AIX cert from ZOS after it expires. I am wondering if anyone is doing something like this..

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » How to renew expiring self-signed SSL cert?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.