| Author |
Message
|
| smeunier |
 Posted: Wed Mar 15, 2017 11:11 am Post subject: SSL CSR Generation |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
I'm preparing to stand up some new servers, which have known domain assignments reserved for them. The hardware is not built yet, so MQ does not exist on them yet, obviously. I wan to get a head start on ordering the SSL CA certificates so that I will have them in hand when the new hardware is built and MQ is installed.
My question is: Can I generate a CSR from any MQ server using GSKit version 8 as long as the request has all the information in the request that is relevant to the new server(CN,O, etc). It seems that the generation of a CSR is not really dependent on server information, but rather than the information that is supplied in the CSR itself. When I receive the CA back, I figured I could either create a new keydb that I created on a tmp directory and then move that keydb to the new server when the time comes, or install it on the new servers keydb.
Is there any issue with doing this(create a CSR on one server and use the results on another server)?
I don't want to generate request from on server that can't be used on another. |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Mar 15, 2017 11:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
No problem at all, provided the relevant security department doesn't have any objection to you shipping keys around the network...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Mar 16, 2017 1:51 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Make your life easy.
Launch ikeyman GUI on your PC (comes with MQ installation).
Create a CMS keystore (stash password) or open one copied from somewhere else.
Create a CSR (see the menu options) - submit ARM file to the CA.
When you get the cert, import it as a personal certificate.
Add any signers you want.
Copy the keystore (binary mode FTP) to the server.
I suggest you keep all your keystores in a master LAN location, so you can recover from losing them on the server. Keep a note of passwords, expiry dates etc.
If you find ikeyman incredibly slow - then temporarily put the keystore on your C drive and it will magically speed up. For some reason working on a LAN drive makes ikeyman sluggish.
ikeyman can do JKS and other keystore formats (e.g. for use with IIB).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 16, 2017 2:30 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| ...Keep a note of passwords... |
Or unstash it when necessary 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Mar 17, 2017 5:55 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Thanks for all the feedback on this. I had access to a new MQ build on Linux and created a directory under SSL directory and creates a
kdb for each qmgr I'm generating a CSR for. I'll use this as my ssl build until the real servers are in place, then port the kdb to each server. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Mar 17, 2017 8:48 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Just to be clear.
You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu).
You can also run command line tools on windows.
Probably a good idea to name the keystores to include the QM name, as the default name of key is too easy to mix up.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| smeunier |
| Posted: Fri Mar 17, 2017 10:15 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| Quote: |
You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu). |
Understood. Except I didn't/don't  have a MQ instance on my Laptop  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 17, 2017 10:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can install ikman with a client, I think.
You can also just use openssl.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| zpat |
| Posted: Sun Mar 19, 2017 11:32 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| smeunier wrote: |
| Quote: |
You can do all the keystore work on your own PC with the GUI ikeyman tool that comes with MQ (aka IBM key management on your Windows menu). |
Understood. Except I didn't/don't have a MQ instance on my Laptop |
Install MQ client at least. Do yourself a favour and get some good MQ tools.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
