| Author |
Message
|
| kordi |
 Posted: Wed Oct 21, 2015 5:04 am Post subject: Renewing certificate question |
 |
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
Hello,
I wanted to renew certificate, so I copied kdb to temp folder, created csr using runmqckm providing the same label name as old one had and sent to sign. Once I received signed certificate I wanted to add it to kdb but I received following error:
The certificate request created for the certificate is not in the key database.
And in fact, when I tried to list cert requests I got nothing. I checked also with iKeyman and indeed, csr section was empty. However, when I deleted old cert before I created new request using the same label as old one had, everything was fine.
Does it mean that before I create request using the same label which currently exists in kdb key store I have to delete old certificate before requesting new one?
Regards |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Oct 21, 2015 6:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried recreating the cert request FROM the old entry in the KDB instead of creating a new one? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kordi |
| Posted: Wed Oct 21, 2015 6:29 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
Well, not sure if I understood your question, but I copied old kdb to temp folder and tried to create CSR using backed up (old) kdb. I think it is the right way, at least according IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21202485
What I made wrong was not deleting old certificate before creating request for new one with the same label as old one. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 21, 2015 11:17 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
There is a difference... I believe if you delete the old key you recreate a private key when creating the CSR. If you recreate the request from the old key you keep the private key and can thus extend its validity...
However best policy is to test this.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| kordi |
| Posted: Thu Oct 22, 2015 12:53 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
When I was creating request on old kdb for label which already existed in kdb, iKeyman showed two certificates with the same label in key store. When I deleted certificate prior creating new request, I could see new request in CSR store of kdb. Without that, you are not able to import (receive) newly signed certificate to kdb.
Thanks! I'll do my best  |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Oct 22, 2015 12:16 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
You are probably better off starting with a new key store and generating CSR and CRT new and fresh. That way you can increase your key size and it will be more secure.
Then swap out the key stores and refresh security(SSL). |
|
| Back to top |
|
|
| kordi |
| Posted: Thu Oct 22, 2015 2:33 pm Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
By the key store you mean key database?
Using old key store does not prevents you from having better secured certificate (CSR) with bigger key size or better hash algorithm. You define it during creating CSR, and after signing, you are receiving new, stronger cert to the key database.
Using old key database file also has this advantage that you don't have to import all of CA certs which you had in old kdb to the new one. |
|
| Back to top |
|
|
|
|
