| Author |
Message
|
| cscheer |
 Posted: Wed Jan 31, 2007 10:45 am Post subject: New QMGR, existing CA Cert |
 |
|
Novice
Joined: 15 Aug 2006
Posts: 13
|
| We have a Verisign cert/key that we use in several places. I have the .key and .crt file in my ~/qmgr/QM1/ssl directory. I can not seem to get them imported. Seems I have to create a request first. Is that correct. Can't I import an existing CA cert? This is a 6.0 MQ setup on hpux. I have read through and wen through all the docs and don't see a way to import an existing cert. |
|
| Back to top |
|
 |
| cscheer |
| Posted: Wed Jan 31, 2007 11:51 am Post subject: |
|
|
Novice
Joined: 15 Aug 2006
Posts: 13
|
| OK, i guess this comes down to I can't figure out how to get a Verisign cert imported when the request was not generated by MQ. It just tells me that the request for the cert is not in the database. Help.... |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Jan 31, 2007 1:10 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| cscheer |
| Posted: Wed Jan 31, 2007 1:33 pm Post subject: |
|
|
Novice
Joined: 15 Aug 2006
Posts: 13
|
| OK, so I have an existing wildcard cert that our company owns. It was generated with openssl and sent to Verisign. They sent back the cert. We use this cert in several places for apache. We need to use this same cert in MQ. We don't have the money to purchase another one. What I am finding is since I did not do the Verisign request in the gsk7ikm, I can not get the key into the repository. gsk7ikm says that it can not find the request in the DB when I try to "Receive" the key. Our security department is saying that I can not use a self signed cert. So, I am stuck..... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 31, 2007 1:41 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I think mvic is saying you need to ADD it rather than RECEIVE it.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Wed Jan 31, 2007 1:46 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
If you can export the cert in p12 format from one keystore, you can use gsk7ikm to import it into the key database for the queue manager. My disclaimer: I have done this many times, but only using gsk7ikm for both the exporting and importing.
How to do the export from a non-gsk7ikm key database I do not know. Also how to get the label into the required format "ibmwebspheremqqmgrname" I also don't know.
And...
| jefflowery wrote: |
| I think mvic is saying you need to ADD it rather than RECEIVE it. |
...if it is the certificate for the CA itself.
Last edited by bbburson on Wed Jan 31, 2007 1:51 pm; edited 2 times in total |
|
| Back to top |
|
|
| cscheer |
| Posted: Wed Jan 31, 2007 1:49 pm Post subject: |
|
|
Novice
Joined: 15 Aug 2006
Posts: 13
|
| Under signer certs, there is an add. Under personal certs, there is only receive. It was my understanding that the signer certs tab was only for the certs that you download from the major CA's, the root cert. I thought that our cert, the one we purchased from Verisign, was added to the personal certs page. Maybe I am wrong. Maybe that is my problem. Is the personal certs only for the self signed certs, and all purchases certs goes into the signer certs? |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Jan 31, 2007 2:47 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| jefflowrey wrote: |
| I think mvic is saying you need to ADD it rather than RECEIVE it. |
Well actually I interpreted the manual at the URL I gave as saying to use "receive". Until that point there was some doubt because cscheer was using the word "import".
I don't get this stuff, most of the time. One day it makes sense. The next day, I forget it all and become a newbie again  |
|
| Back to top |
|
|
|
|
