| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| What is MAKECERT.EXE? |
« View previous topic :: View next topic » |
| Author |
Message
|
| jed |
 Posted: Thu Mar 18, 2004 8:37 pm Post subject: What is MAKECERT.EXE? |
 |
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
I read that using MakeCert, you can create a test certificate.
Does MakeCert create a public key?
_________________
Jed |
|
| Back to top |
|
 |
| JasonE |
| Posted: Fri Mar 19, 2004 2:10 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Makecert creates a selfsigned certificate, ie with private data but the signer is itself
If it helps:
| Quote: |
To use MakeCert you MUST be using version 5.131.3617.0 or later (see below for usage instructions or the Readme.txt which ships with GA2/CSD01). Previous versions do not have the "-pe" flag to make the generated private key exportable (which is necessary for MQ to decrypt information). If a customer is using a certificate which was generated with an old version of MakeCert OR they did not specify the -pe flag they will get an AMQ9683 (8009000B).
|
and the following is some instructions which use the same personal key on both ends (you do NOT have to do it this way, it just kept the instructions shorter)
| Quote: |
Ok, on 2 machines I cleared out all TestCA certificates and set up a
basic non-SSL sdr/rcvr channel pair, and confirmed it started ok.
.
On machine A (SDR side)
=======================
.
makecert -n CN=CA -ss MYCA -sr CurrentUser -b 08/07/2003 -e 08/07/2005
-a sha1 -sky signature -r -pe MYCA.cer
-> This produced a file MYCA.cer. I then ran MYCA.cer, clicked the
install button, and next's through to finish (taking all the
defaults).
(Note: I changed the customers 'CA' to 'MYCA' simply because I already
has a conflicting CA certificates)
** Checking in IE, I now have a MYCA personal certificate, and a MYCA
** trusted root CA.
makecert -pe -n CN=HDQ_MQSRSQ_001 -ss MY -sr CurrentUser -b 08/07/2003
-e 08/07/2005 -a sha1 -sky exchange -eku .3.6.1.5.5.7.3.1 -in CA
-is MYCA -ir CurrentUser
-sp "Microsoft RSA SChannel Cryptographic Provider"
-sy 12 HDQ_MQSRSQ_001.cer
-> This produced a file HDQ_MQSRSQ_001.cer which I ignored
** Checking in IE, I now have a HDQ_MQSRSQ_001 Personal certificate,
** issued by MYCA.
I then changed the SDR channel to have a cipher of rc4_md5_us, and then
added the root CA plus assigned the certificate to the sender side:
amqmcert -k ROOT -l
**> 14016: * MYCA, MYCA
amqmcert -k ROOT -m QM -a 14016
**> Certificate added successfully
amqmcert -k MY -l
**> 14002: * HDQ_MQSRSQ_001, MYCA
amqmcert -k MY -m QM -a 14002
**> Certificate added successfully
amqmcert -m QM -l
amqmcert -m QM -l (Twice to avoid renumbering bug)
**> 00015: * HDQ_MQSRSQ_001, MYCA
amqmcert -m QM -d 00015
**> AMQ4818: Certificate assigned successfully.
.
Finally, I need to export the key for use on the rcvr side. I ran IE,
Internet Options->Content. Here I click on HDQ_MQSRSQ_001 in the
Personal Store, and click Export, Next, "Yes, Export the private key",
Personal Information Exchange format, and I ticked Include all
certificates in the path if possible and strong protection. I then
didnt give a password, and supplied a filename of "private".
.
On machine B (RCVR side)
========================
I changed the RCVR channel to have a cipher of rc4_md5_us
I copied MYCA.cer and ran MYCA.cer, clicked the install button, and
next's through to finish (taking all the defaults).
I also copied private.pfx onto this box and ran it. During the
import I tick the box 'Mark the private key as exportable' but
take all the other defaults.
I then added the root CA plus assigned the certificate to the rcvr side:
amqmcert -k ROOT -l
**> 14025: * MYCA, MYCA
amqmcert -k ROOT -m QMI -a 14025
**> Certificate added successfully
amqmcert -k MY -l
**> 14004: * HDQ_MQSRSQ_001, MYCA
amqmcert -k MY -m QMI -a 14004
**> Certificate added successfully
amqmcert -m QMI -l
amqmcert -m QMI -l (Twice to avoid renumbering bug)
**> 00015: * HDQ_MQSRSQ_001, MYCA
amqmcert -m QM -d 00015
**> AMQ4818: Certificate assigned successfully.
.
Finally, the channel started perfectly - ie a MakeCert certificate can
be used on any machine if exported correctly.
|
[/quote] |
|
| Back to top |
|
|
| jed |
| Posted: Fri Mar 19, 2004 3:13 am Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Hi Jason,
I followed the steps that you mentioned on your posting and I got this error.....
AMQ9690: The public key in the issuer's certificate has failed to validate the
subject certificate.
EXPLANATION:
The public key in the issuer's certificate (CA or signer certificate), is used
to verify the signature on the subject certificate assigned to channel
QM1.TO.QM2. This verification has failed, and the subject certificate therefore
cannot be used. The WebSphere MQ error recording routine has been called.
ACTION:
Check that the issuer's certificate is valid and available, and that it is up
to date. Verify with the certificate's issuer that the subject certificate and
issuer certificate should still be valid. If the problem cannot be resolved
then use the standard facilities supplied with your system to record the
problem identifier and save the generated output files, and then contact your
IBM support center. Do not discard these files until the problem has been
resolved.
Rgds,
Dino
_________________
Jed |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 19, 2004 3:38 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
What fixpack level? If < fp5, apply fp5 just in case.
When I wrote those instructions, I believe they worked both for me and the customer I wrote them for (well at least, they said they did!!). Silly question, I know, but are you sure you followed it all carefully? |
|
| Back to top |
|
|
| jed |
| Posted: Fri Mar 19, 2004 4:17 am Post subject: |
|
|
Centurion
Joined: 08 Jan 2004
Posts: 118
Location: MI, USA
|
Yes, I just changed the queue manager names and some missing fields on your step by step instructions.
_________________
Jed |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
