| Author |
Message
|
| garyprmr |
 Posted: Tue Nov 02, 2010 4:16 am Post subject: Certificate not getting added to MQ key database |
 |
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
Hello Gurus ,
I am adding a .der certificate using gsk7cmd , when I am trying to add it , it say duplicate certificate .
When I list the certificate I dont find the label I am giving to that the above .der file in the certificate list .
Please provide some suggestions on this
Thanks
prmr |
|
| Back to top |
|
 |
| zpat |
| Posted: Tue Nov 02, 2010 4:49 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| Use ikeyman (comes with websphere MQ and is perhaps easiest used on Windows). |
|
| Back to top |
|
|
| garyprmr |
| Posted: Tue Nov 02, 2010 5:18 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
|
| Back to top |
|
|
| zpat |
| Posted: Tue Nov 02, 2010 5:40 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| Are you "adding a signer cert" or "receiving a personal cert"? |
|
| Back to top |
|
|
| garyprmr |
| Posted: Tue Nov 02, 2010 6:30 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
I have been sent .der file for MQ client to MQ server connection.
I am trying to add it . I believe at some point of time it gave me no signer certifcate. Then I tried to recieve it , it still gave me error.
Now I am adding it and it gived certifcate already exsist. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Tue Nov 02, 2010 6:59 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Can you try adding the same cert in the new key database , if it gets added into that then you would be clear that the cert exists in the older one !
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Nov 02, 2010 1:14 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| garyprmr wrote: |
I have been sent .der file for MQ client to MQ server connection.
I am trying to add it . I believe at some point of time it gave me no signer certifcate. Then I tried to recieve it , it still gave me error.
Now I am adding it and it gived certifcate already exsist. |
Your cert probably exists in the db under a different label... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| garyprmr |
| Posted: Wed Nov 03, 2010 1:11 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
| The intersting part is that colleague of mine is able to do that using ikeyman and I still get the same error using ikeyman |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Nov 03, 2010 1:17 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| fjb_saper wrote: |
| garyprmr wrote: |
I have been sent .der file for MQ client to MQ server connection.
I am trying to add it . I believe at some point of time it gave me no signer certifcate. Then I tried to recieve it , it still gave me error.
Now I am adding it and it gived certifcate already exsist. |
Your cert probably exists in the db under a different label... |
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Nov 03, 2010 1:18 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| garyprmr wrote: |
| The intersting part is that colleague of mine is able to do that using ikeyman and I still get the same error using ikeyman |
you can find out 'what you are doing wrong or missing out' !
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 03, 2010 2:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
List out all the certificates in the key store using the command line and piping the output to a file, then use the -details switch within a script that reads the above file and also pipes out the subsequent output to another file. Compare the content of the certificate you were given with that second output, and see if any match.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| garyprmr |
| Posted: Thu Nov 04, 2010 2:44 am Post subject: |
|
|
Acolyte
Joined: 03 Sep 2005
Posts: 74
|
Hi All
Thanks for all suggestions.
What I tried is to pick the .der file from another location which was attached in the service request and now if I try to add I get a error
An attempt to store the certifcate failed.
All the Signer certificates must exsist in the key database .
Do I need a some other file to with .der file.
Thanks
Gurminder |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Nov 04, 2010 2:51 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| garyprmr wrote: |
An attempt to store the certifcate failed.
All the Signer certificates must exsist in the key database . |
Generally means the signer-CA certificate is missing. Also, if part of a trust chain (Root CA -> Intermediate CA -> Personal Certificate), ensure you have all the certificates you need.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 04, 2010 2:54 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Trying creating a keystore with WMQ v7 ikeyman, it may have a more update list of signer certificates as standard.
Or you may find it in your windows CA signer hierarchy and can save it from there. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu Nov 04, 2010 7:57 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
To get the cert in .DER form:
To get the .der from an existing cert ( in case self signed certificate .arm ) from the existing key.kdb .. this can be achieved while EXTRACTING the cert from the key.kdb
| Code: |
| gsk7cmd -cert -extract -db key.kdb -pw password1 -label webspheremqqmgr1 -target qmgr1.der -format binary |
To display the 'Details' about the self signer cert :
| Code: |
| gsk7cmd -cert -details -db key.kdb -pw password1 -type cms -label webspheremqqmgr1 |
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
|
|
