ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportSanity check on SSL recreate certreq

Post new topicReply to topic
Sanity check on SSL recreate certreq View previous topic :: View next topic
Author Message
smeunier
PostPosted: Tue Feb 12, 2019 8:34 am Post subject: Sanity check on SSL recreate certreq Reply with quote

Master

Joined: 19 Aug 2002
Posts: 289

I'm asking this question because I cannot find a definitive answer to it via google or here. Maybe I'm asking it wrong.

If I create a new CSR ... runmqckm -certreq -create -db key.kdb ......blah blah I can then go and list that CSR in the keystore by issuing the: runmqckm -certreq -list -db key.kdb. It shows me that I have a CSR as well as the generated file for the CSR.

If I create a CSR using recreate: runmqckm -certreq -recreate -db key.kdb ....blah blah I get a generated CSR file, but if I list the certreq, there is no entry. Is that correct behavior on a recreate for a CSR?

I'm afraid, that when I get the cert returned from the CA, that it will not load because there is no certreq in the db.

Am I missing a subtle point between how these two methods behave? I don't want the cert to be rejected because there is no CSR for it.

Any help/clarification would be useful. I have used recreate before and the returned cert from the CA could not be loaded and I have to go the route of creating a whole new cert. Just validating what I understand here.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Feb 12, 2019 6:05 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1007
Location: Bay of Plenty, New Zealand

Why not test it out? Make yourself a test CA, sign the cert, recreate the cert request and sign that and see if it loads.

You can use runmqakm to make a test CA.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
smeunier
PostPosted: Wed Feb 13, 2019 8:05 am Post subject: Reply with quote

Master

Joined: 19 Aug 2002
Posts: 289

Quote:
Why not test it out?


A test may just provide the same result I have seen in the past. At which point I may be falsely led into believing this is the way it works vs how it should work.

I'm wondering what the expected behavior is. Is a recreate supposed to create a CSR entry used when receiving the cert from the CA or does it solely rely on that cert label already existing in the key store and no CSR entry is made/required?

I think the later is true, but I shall find out in a few days when I receive my cert. For all I know, the CA created a new Signed cert last time, rather than renew it, which is why it failed to load?!
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Feb 13, 2019 2:13 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1007
Location: Bay of Plenty, New Zealand

smeunier wrote:
I'm wondering what the expected behavior is. Is a recreate supposed to create a CSR entry used when receiving the cert from the CA or does it solely rely on that cert label already existing in the key store and no CSR entry is made/required?

According to IBM Technote: Recreating a certificate request using the IBM Global Security Kit before your personal certificate expires :-
IBM Technote wrote:
For clarification, below is the difference between the -create and the -recreate options.

"recreate" uses the existing certificate to create a certificate request file. It will do this using the existing private key. An entry is not made in the key repository file, as when receiving the new certificate back into the key repository it will simply replace the existing certificate.

"create" on the other hand would generate a new certificate request and private key. The data will therefore be stored in the key repository file until the certificate is received. In order to receive the new signed certificate request, you will need to delete the existing personal certificate from the key repository before receiving the new certificate.


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportSanity check on SSL recreate certreq
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.