ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Certificate chain - two different root certificates

Post new topic  Reply to topic
 Certificate chain - two different root certificates « View previous topic :: View next topic » 
Author Message
kudlanka
PostPosted: Mon Jun 09, 2014 3:26 am    Post subject: Certificate chain - two different root certificates Reply with quote

Novice

Joined: 19 Mar 2009
Posts: 20
Location: Prague
Hello,

one of our WS supplier will change CA from its own to VeriSign.

Supplier support people sent us certificates and certifiacate chain looks like this:
- VeriSignClass 3 Public Primary Certification Authority (PCA3 G1 SHA1) -- ROOT
-- VeriSign Class 3 Public Primary Certification Authority - G5 - inter
--- Symantec Class 3 Secure Server CA -G4 - inter

We already have certificate VeriSign Class 3 Public Primary Certification Authority - G5 in our truststore. But our is issued as ROOT certificate (issued by and issued for is the same).

Supplier's server will send both G5 and G4 (they are intermediate for him) during SSL handshake and we are not sure how WMB handle it.

Do we have to import VerSignClass 3 Public Primary Certification Authority (PCA3 G1 SHA1), which is suppliers ROOT CA into our truststore or WMB checks first intermediate (G4) against trustore and it passes because we have G5 as root?

Thank you,
Kudlanka
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jun 09, 2014 4:24 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Wonder how you got the G5 as root?
Anyways the G5 root and G5 inter are 2 different certs... so yes you will need the full chain...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
kudlanka
PostPosted: Mon Jun 09, 2014 5:25 am    Post subject: Reply with quote

Novice

Joined: 19 Mar 2009
Posts: 20
Location: Prague
Our security officer said that 2 same certs with different root CA is used when issuer need to cover expiration of current CA.

We were able to link G4 with both G5 (our root and G5 as inter) it seems to be crosssigned - as I just find out in this article http://www.confusedamused.com/notebook/fixing-verisign-certificates-on-windows-servers/

Our situation is similar to this


What we are not able to test is what broker will do with intermediate G5 in SSL handshake, ignores it or not?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Certificate chain - two different root certificates
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.