MQSeries.net :: View topic - SSL certs with MQ that don't have Client Authentication EKU

jamesb

Hi all,
We currently use IBM MQ 9.3.0.x and use SSL to authenticate the MQ clients that attach so we have a keystore on the server side and typically a Java JKS file on the client side. When the client connects we check some element of the common name to allow it to connect. We also use it for queue manager to queue manager connectivity. Our current provider of SSL certificates (Sectigo) has contacted us to say that they are deprecating the Client Authentication EKU information from their future Sectigo SSL/TLS Certificates as they say:
"TLS certificates have been used for both the client authentication as well as server authentication, a practice that is being deprecated".

This means that mutual TLS (mTLS) won't work as I understand it. With this information no longer provided for Client Authentication purposes, including mTLS or server-to-server authentication, can anyone confirm will this still work with MQ or will we need a different provider/product?

This is detailed statement on their website is shown here:
https://www.sectigo.com/faq-client-authentication-eku-deprecation?utm_campaign=8589971-2025%20Email%20Marketing%20Summary&utm_medium=email&_hsenc=p2ANqtz--LO-lzkK8okQAJ3svD0AZHq7uGJ1RG6zKMGDV3P9X1Cyhr7gFiQZJ36sfsVfmVKtzF_QBF5llrR3HQfabHvC7IgGCXpg&_hsmi=384007955&utm_content=384007955&utm_source=hs_email

I put a ticket into IBM, but got a reply which didn't really give me a straight yes/no answer which I was hoping for! Just wondered if anyone else had experienced this and if you need to take action.

Thanks, James.