IBM Support

Recreating a certificate request using the IBM Global Security Kit before your personal certificate expires

Technote (troubleshooting)


Problem(Abstract)

The Global Security Kit (GSKit) can be used to recreate a certificate request from an existing personal certificate. Creating a brand new certificate request is not necessary.

Resolving the problem

The Websphere MQ V7.1, V7.5 and the IBM MQ V8.0, 9.0, and 9.0.x products provide a standardized Global Security Kit (GSKit) command name irregardless of the version of GSKit installed. On Linux, Unix and Windows platforms two command utilities are provided, runmqckm and runmqakm. Both utilities can be used to manage certificates in key repositories.

Use the recreate command to create the new certificate request file for the Certificate Authority to sign.

runmqckm -certreq -recreate -db key.kdb -pw passw0rd -label certificate_label -target cert_request.crs

Where:

  • key.kdb - The key database file
  • passw0rd - The password of the key database
  • certificate_label - The label of the certificate request which you are recreating (for example, the personal certificate associated with the queue manager)
  • cert_request.crs - The name of the new certificate request file.

Use the receive option to replace the expiring personal certificate. The expiring personal certificate does not need to be deleted, it will be replaced.

runmqckm -cert -receive -file signedRequest -db key.kdb -pw passw0rd

Where:
  • key.kdb - The key database file
  • signedRequest - The certificate request file that was signed by the certificate authority(CA).
  • passw0rd - The password of the key database

Once the personal certificate has been updated, use the refresh security command to refresh the SSL cache using runmqsc. For example:

echo "refresh security type(ssl)" | runmqsc QMgrName

For clarification, below is the difference between the -create and the -recreate options.

"recreate" uses the existing certificate to create a certificate request file. It will do this using the existing private key. An entry is not made in the key repository file, as when receiving the new certificate back into the key repository it will simply replace the existing certificate.

"create" on the other hand would generate a new certificate request and private key. The data will therefore be stored in the key repository file until the certificate is received. In order to receive the new signed certificate request, you will need to delete the existing personal certificate from the key repository before receiving the new certificate.

Note: The Certificate Authority signs the new certificate request with either a new root and/or intermediary certificate, you will need to remove the old CA Signer certificate(s) and add the new one(s) to your key repository prior to receiving the newly signed certificate request and updating your personal certificate. Consequently, queue managers and applications that connect to your queue manager using channel encryption may need the new CA Signer certificate for their key repository to enable a successful authentication. Lastly, make sure you issue the mqsc command refresh security type(ssl) whenever any changes are made to the key repository.


Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM MQ SSL AIX, HP-UX, Linux, Solaris, Windows 9.0.5, 9.0.4, 9.0.3, 9.0.2, 9.0.1, 9.0, 8.0, 7.5, 7.1, 7.0

Product Alias/Synonym

WMQ MQ

Document information

More support for: WebSphere MQ
SSL

Software version: 7.0, 7.1, 7.5, 8.0, 9.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1250603

Modified date: 28 November 2006