| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Renewal of SSL certificates |
« View previous topic :: View next topic » |
| Author |
Message
|
| jamesb |
 Posted: Tue May 02, 2023 8:54 am Post subject: Renewal of SSL certificates |
 |
|
Novice
Joined: 09 Mar 2008
Posts: 16
|
Consider the case where you get a CA certificate with the issued time/date being on a weekday, but you have to wait for a change window at the weekend,
say. You install the cert, set up SSL, etc, and it goes into production. A year later you get an updated SSL cert valid on the day the old one expired, but have to wait for a weekend change window. How does your organisation handle this, if at all, to save having to install the new one on the same day the old one expires?
From the documentation it looks like the runmqakm -certreq -recreate command is used for this purpose, but the MQ admin needs to provide a new CSR so if your organisation has an auto-renewal process, it won't work? Is this the recommended way of working to not auto renew and to recreate the CSR or have I missed something?
Thanks, James. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue May 02, 2023 9:18 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
What you've missed is that the renewal / auto-renewal period for a certificate is not the day it expires, it is in general one month before the certificate expires.
So you should have plenty of time to install it on the weekend. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jamesb |
| Posted: Tue May 02, 2023 10:01 am Post subject: |
|
|
Novice
Joined: 09 Mar 2008
Posts: 16
|
| fjb_saper wrote: |
What you've missed is that the renewal / auto-renewal period for a certificate is not the day it expires, it is in general one month before the certificate expires.
So you should have plenty of time to install it on the weekend. |
That's the kind of thing I was hoping for. I'll explore this with the group we have that order certs. Unfortunately they're not too familiar the kind of requirements that MQ has for labels, etc, and are more used to dealing with certs for web apps/load balancers, etc.
Thanks, James. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed May 03, 2023 12:12 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Another method is have the certificate delivered as PKCS (*.p12), and import it with a different label name, e.g. if the current certificate label is ibmwebspheremqqmtest the new imported one could named ibmwebspheremqqmtest2023.
If the original certificate is the only one used by the queue manager, you can set the new label in the queue manager's CERTLABL attribute, refresh security, and test. If all is not well just revert to the "old" certificate and refresh security again, otherwise the old certificate can be deleted by label name; at a later date after it has expired if management is twitchy about it being done immediately.
There's a little more management needed if you have multiple personal certificates for the queue manager, and have those assigned on a per-channel basis, but from the sound of it you have only the one so the above method (if implemented) should not be too much of an issue.
Top tip (and sorry if this is teaching you to suck eggs) - always work on a copy of the key store, not the original 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jamesb |
| Posted: Thu May 11, 2023 1:54 pm Post subject: |
|
|
Novice
Joined: 09 Mar 2008
Posts: 16
|
| exerk wrote: |
Another method is have the certificate delivered as PKCS (*.p12), and import it with a different label name, e.g. if the current certificate label is ibmwebspheremqqmtest the new imported one could named ibmwebspheremqqmtest2023.
If the original certificate is the only one used by the queue manager, you can set the new label in the queue manager's CERTLABL attribute, refresh security, and test. If all is not well just revert to the "old" certificate and refresh security again, otherwise the old certificate can be deleted by label name; at a later date after it has expired if management is twitchy about it being done immediately.
There's a little more management needed if you have multiple personal certificates for the queue manager, and have those assigned on a per-channel basis, but from the sound of it you have only the one so the above method (if implemented) should not be too much of an issue.
Top tip (and sorry if this is teaching you to suck eggs) - always work on a copy of the key store, not the original |
That's very good point thanks exerk, very happy to hear of other suggestions. I have to say I have not come across a queue manager with multiple personal certs before, only the fairly straightforward situation I have.
Thanks, James. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
