| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL certs with MQ that don't have Client Authentication EKU |
« View previous topic :: View next topic » |
| Author |
Message
|
| jamesb |
 Posted: Thu Oct 30, 2025 1:49 am Post subject: SSL certs with MQ that don't have Client Authentication EKU |
 |
|
Novice
Joined: 09 Mar 2008
Posts: 18
|
Hi all,
We currently use IBM MQ 9.3.0.x and use SSL to authenticate the MQ clients that attach so we have a keystore on the server side and typically a Java JKS file on the client side. When the client connects we check some element of the common name to allow it to connect. We also use it for queue manager to queue manager connectivity. Our current provider of SSL certificates (Sectigo) has contacted us to say that they are deprecating the Client Authentication EKU information from their future Sectigo SSL/TLS Certificates as they say:
"TLS certificates have been used for both the client authentication as well as server authentication, a practice that is being deprecated".
This means that mutual TLS (mTLS) won't work as I understand it. With this information no longer provided for Client Authentication purposes, including mTLS or server-to-server authentication, can anyone confirm will this still work with MQ or will we need a different provider/product?
This is detailed statement on their website is shown here:
https://www.sectigo.com/faq-client-authentication-eku-deprecation?utm_campaign=8589971-2025%20Email%20Marketing%20Summary&utm_medium=email&_hsenc=p2ANqtz--LO-lzkK8okQAJ3svD0AZHq7uGJ1RG6zKMGDV3P9X1Cyhr7gFiQZJ36sfsVfmVKtzF_QBF5llrR3HQfabHvC7IgGCXpg&_hsmi=384007955&utm_content=384007955&utm_source=hs_email
I put a ticket into IBM, but got a reply which didn't really give me a straight yes/no answer which I was hoping for! Just wondered if anyone else had experienced this and if you need to take action.
Thanks, James. |
|
| Back to top |
|
 |
| tczielke |
| Posted: Fri Oct 31, 2025 7:24 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 942
Location: Illinois, USA
|
Hi James,
There is a blog post about this topic here.
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
You should ask your CA if they also offer client only certs for mutual TLS authentication. What your CA might be doing is providing the standard server side certificates with only an EKU of server, but also providing a separate client certificate with an EKU of client for customers that need to support mutual TLS. I know other public CAs are doing this.
I would recommend reading the comments in the blog, as there are other useful things being discussed in that blog, too.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Nov 01, 2025 9:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| tczielke wrote: |
Hi James,
There is a blog post about this topic here.
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
You should ask your CA if they also offer client only certs for mutual TLS authentication. What your CA might be doing is providing the standard server side certificates with only an EKU of server, but also providing a separate client certificate with an EKU of client for customers that need to support mutual TLS. I know other public CAs are doing this.
I would recommend reading the comments in the blog, as there are other useful things being discussed in that blog, too. |
It's a good thing that as per the blog GSKIT does not care about the type (server / client) so the qmgr to qmgr channels should still be fine....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
