MQSeries.net :: View topic - Renew queue manager personal cert with same private key

gbaddeley

https://www.ibm.com/docs/en/ibm-mq/9.3?topic=windows-renewing-existing-personal-certificate-aix-linux

This IBM doc describes the renewal process for a Queue Manager SSL/TLS personal certificate, using the 'recreate' function, to create a CSR file.

The CSR contains public encoded data (ie. not the private key or any other secure info) that can be used by a CA to produce a renewed certificate file, which can then be received into the Queue Manager's key repository.

In my case, I am using runmqakm on Linux. I've struck an issue with our CA. It won't accept the renewal CSR. The error message is "Private key reuse is not allowed here. Please use a different CSR".

It can deduce this because the public key (embedded in the CSR) is the same public key as provided in the original cert creation CSR, and was signed by the CA.

Apparently "private key reuse not allowed" is good security practice, to not allow indefinite use of the same private key.

My question: Is it possible to re-key or re-generate the private key of an existing cert in a Queue Manager CMS key store? I presume that this will then allow the CA to accept the renewal CSR.

If not, the only alternative appears to be create and deploy a new cert every time an existing cert is about to expire.

(I will be back in 3 days)
_________________
Glenn