| Author |
Message
|
| Mangesh1187 |
 Posted: Sun Nov 19, 2017 5:18 am Post subject: Public & private key in Queue Manager keystores |
 |
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Have a query about SSL certificates and keys.
We ususally follow the below steps to prepare the MQenvironment for SSL/TLS (using GSK utility) :
#1. Create keydb
It will crete qm.kdb , qm.rdb , qm.crl , qm.req files . (qm. is the QM in ths example)
#2. Create certificate request
#3. Send the cert request file to the CA
#4. Receive the Signed Certificate from the CA.
#5. Import that CA signed certificate using 'import' option & add CA root and intermadiate certificates using 'add' option.
#6. COnfigure the QM & SSL attibutes to use SSL.
I am really querious about :
In step #4 we received the signed certificate from CA. At the bottom its mentioned the section under the heads ,
BEGIN CERTIFICATE & END CERTIFICATE . Is this the Public key of QM or tis this the public key of CA who signed the certificate ?
Where we can see the private key of QM that will be used for the Decryption? |
|
| Back to top |
|
 |
| tczielke |
| Posted: Sun Nov 19, 2017 6:08 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
In #4, you are receiving a personal certificate that includes your public key and is signed by the CA's private key.
I am not aware of a runmqakm/runmqckm command that can print the private key, but I am pretty sure you could display it by using the "runmqakm -cert -export" command to export your personal cert/private key to a .p12 file and then using a tool like openssl to display the private key from the .p12 file. However, you should for the most part never do this (display your private key) unless this is some kind of sandbox, as you never want your private key exposed in this way. If anyone gets your private key, you no longer have a secure system.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Mon Nov 20, 2017 10:14 pm Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Thanks tczielke for yoru reply.
I have a query related to the same.
When does the private & public keys are created :
Is it when we created the cert store (as in step #1) ?
OR
Is it when we create a certificate request (as in step #2) ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Nov 21, 2017 5:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Mangesh1187 wrote: |
Thanks tczielke for yoru reply.
I have a query related to the same.
When does the private & public keys are created :
Is it when we created the cert store (as in step #1) ?
OR
Is it when we create a certificate request (as in step #2) ? |
In step 2 when you create the request the key pair is being created.
The public key is then sent to the CA for signing. You upload the signed key when accepting the X509 cert signed by the CA.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Nov 21, 2017 5:55 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I am pretty sure the private/public key pair is created when you run the "runmqakm -certreq -create" command. The creation of the private/public key is based on the "-size" argument that you pass into that command.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Nov 21, 2017 6:22 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Nov 21, 2017 6:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
| The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates. |
You meant to say:
So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs, one pair for each of these personal certificates.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Nov 21, 2017 6:38 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| fjb_saper wrote: |
| tczielke wrote: |
| The other thing that might be helpful to note is that each "-certreq -create" command is creating a separate private/public key pair. So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs for each of these personal certificates. |
You meant to say:
So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs, one pair for each of these personal certificates. |
Yes. 
I was trying to reword that last sentence and then typed something misleading/incorrect. I was trying to say "So if you have five personal certificates in your key.kdb, you have five unique private/public key pairs. One pair for each of these personal certificates."
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Mangesh1187 |
| Posted: Mon Nov 27, 2017 3:26 am Post subject: |
|
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Thanks all.
Again back to the same question.
In cert request we can see the public key. Where can & how can we see the private key ?
As of now I am aware that we should not play with the private keys. But out of curiosity , if there any chance if we can view the Priavate key as well given that we have all access to the kdb. ? |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Nov 27, 2017 7:47 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
The following worked for me to see the private key:
| Code: |
runmqakm -cert -export -db key.kdb -label ibmwebspheremqQM1 -type cms -target QM1.p12 -target_type pkcs12
openssl pkcs12 -in QM1.p12 -out QM1.pem
openssl rsa -text -in QM1.pem |
NOTE: This is an RSA key example.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
|
|
