| Author |
Message
|
| hilltops |
 Posted: Fri Jan 04, 2008 7:28 am Post subject: Problem with import certificate into the certificate DB |
 |
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
I am having trouble "receiving" a CA-signed certiifcate in the certificate database for a queue manager. I get the following error when I try toload the cert into the DB.
An error occurred while receiving the certificate from the given file.
The certificate request created for the certificate is not in the key database.
The DB has the intermediate certificate of the CA installed.
Has anyone encountered this problem before?
Thankx |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Fri Jan 04, 2008 8:20 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
Hi
Hope you have installed GSK kit properly well..... 
The .kdb file is created when you create a new key database. A key record in a .kdb file can be either a certificate or a certificate with its encrypted private key information.
Mr Google will help you for the rest
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| hilltops |
| Posted: Fri Jan 04, 2008 8:38 am Post subject: |
|
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
Yes, the GSK has been correctly installed. I am able to use all the relevant command OK; The command I have used are as follows;
To create the .kdb
gsk7cmd -keydb -create -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -type cms -stash
To generate the cert signing request
gsk7cmd -certreq -create -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -label ibmwebspheremqqmgr -dn 'CN=QMGR,O=MyComp,OU=MQManager,L=SomeWhere,ST=Here,C=GB' -size 1024 -file QMGR.csr
To add the CA cert to the kdb
gsk7cmd -cert -add -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -label verisign_intermediate -file verisign.cert
To receive the queue manager cert into the kdb
gsk7cmd -cert -receive -db "/var/mqm/qmgrs/QMGR/ssl/QMGR.kdb" -pw passwd -file /var/mqm/qmgrs/QMGR/ssl/QMGR.cert
Is there anything I have missed out? |
|
| Back to top |
|
|
| bbburson |
| Posted: Fri Jan 04, 2008 9:40 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
The gsk7cmd command I use for receiving a cert into the database includes the flag
Don't know if that could be your answer or not.
Also, you MUST receive the cert into the same database where the request was issued. You can see outstanding requests in the database using gsk7ikm GUI (and I'm sure there's a gsk7cmd equivalent but I don't know what it is). |
|
| Back to top |
|
|
| hilltops |
| Posted: Fri Jan 04, 2008 3:43 pm Post subject: |
|
|
Centurion
Joined: 01 Mar 2006
Posts: 112
|
| Yes, indeed I did have the "-format ascii" flag in the "receive" command. But I still have the same problem. |
|
| Back to top |
|
|
| revathi |
| Posted: Mon Jan 05, 2009 8:22 pm Post subject: |
|
|
Newbie
Joined: 05 Jan 2009
Posts: 1
|
Hi,
Simple issue. You are receiving the cert into a different keystore instead of the one that generated it.
Mahesh |
|
| Back to top |
|
|
| aspre1b |
| Posted: Thu Jul 09, 2009 6:05 am Post subject: |
|
|
Voyager
Joined: 05 Jul 2007
Posts: 78
Location: Coventry, UK
|
Does anyone know if it is possible to import a CSR (Cert Signer Request) into a keystore (IBM Key Mgt)?
Senario - the original keystore has been deleted, but I still have the CSR and the resulting Signed Certificate?
Is it just a case of recreating the CSR again?
Platform - Win XP
Product - IBM Key Mgt (IKeyman) 7.0.4.11 |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Thu Jul 09, 2009 6:21 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Thu Jul 09, 2009 6:26 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
In fact the more I look at that the less convinced I am that its doable.
Anyway, I hope the link is useful at least! |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 09, 2009 6:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| WMBDEV1 wrote: |
| use the -recreate flag?... |
Used to generate a new request from an existing received certificate, using the same key used to create the original request...I believe.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Thu Jul 09, 2009 6:46 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| exerk wrote: |
| WMBDEV1 wrote: |
| use the -recreate flag?... |
Used to generate a new request from an existing received certificate, using the same key used to create the original request...I believe. |
Yeah I kinda backpedalled after I reread the link I posted and this one...
http://www-01.ibm.com/support/docview.wss?uid=swg21250603
I'm out of ideas (and my comfort zone) now so will leave it to others to try and offer better advise.
Although I was wandering if you could retrieve it from a backup? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 09, 2009 6:53 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| WMBDEV1 wrote: |
| ...Although I was wandering if you could retrieve it from a backup? |
As far as I am aware, the only thing that ties a queue manager to its key store is the SSLKEYR setting. At my current site, the process is for the contents of the ../ssl directory to be backed up, off-server, whenever any changes are made to it. Even if the queue manager has to be recreated, there is no latency waiting for a new certificate request to be signed etc.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Thu Jul 09, 2009 7:01 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| exerk wrote: |
| WMBDEV1 wrote: |
| ...Although I was wandering if you could retrieve it from a backup? |
As far as I am aware, the only thing that ties a queue manager to its key store is the SSLKEYR setting. At my current site, the process is for the contents of the ../ssl directory to be backed up, off-server, whenever any changes are made to it. Even if the queue manager has to be recreated, there is no latency waiting for a new certificate request to be signed etc. |
Sounds reasonable..... I was thinking more about whether they had backups containing the keystore to restore it from than the feasability of the process!
Last edited by WMBDEV1 on Thu Jul 09, 2009 11:09 am; edited 1 time in total |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jul 09, 2009 7:43 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
We had a similar problem and had to request another certificate to make sure the matching request was in the keystore.
You can also get a problem when importing a CA signed certificate - make sure it is imported as an "personal" certificate, not as a signer certificate.
Finally we had to import another verisign CA signer certificate (class 3 G2) because it didn't come as standard with MQ.
If you open your CA personal certificate under Windows you can see the signer hierarchy (cert path) - all these signers need to be in the keystore.
Using Ikeyman instead of GSK7CMD makes things easier to get right. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 09, 2009 1:05 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| ...Finally we had to import another verisign CA signer certificate (class 3 G2) because it didn't come as standard with MQ... |
VeriSign changed their trust chain signers in May this year - caught us on the hop.
| zpat wrote: |
| ...Using Ikeyman instead of GSK7CMD makes things easier to get right... |
I've known gsk7cmd to fail if an intermediate CA certificate add is attempted before its root CA certificate is added.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
