| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL certs with MQ that don't have Client Authentication EKU |
« View previous topic :: View next topic » |
| Author |
Message
|
| jamesb |
 Posted: Thu Oct 30, 2025 1:49 am Post subject: SSL certs with MQ that don't have Client Authentication EKU |
 |
|
Novice
Joined: 09 Mar 2008
Posts: 20
|
Hi all,
We currently use IBM MQ 9.3.0.x and use SSL to authenticate the MQ clients that attach so we have a keystore on the server side and typically a Java JKS file on the client side. When the client connects we check some element of the common name to allow it to connect. We also use it for queue manager to queue manager connectivity. Our current provider of SSL certificates (Sectigo) has contacted us to say that they are deprecating the Client Authentication EKU information from their future Sectigo SSL/TLS Certificates as they say:
"TLS certificates have been used for both the client authentication as well as server authentication, a practice that is being deprecated".
This means that mutual TLS (mTLS) won't work as I understand it. With this information no longer provided for Client Authentication purposes, including mTLS or server-to-server authentication, can anyone confirm will this still work with MQ or will we need a different provider/product?
This is detailed statement on their website is shown here:
https://www.sectigo.com/faq-client-authentication-eku-deprecation?utm_campaign=8589971-2025%20Email%20Marketing%20Summary&utm_medium=email&_hsenc=p2ANqtz--LO-lzkK8okQAJ3svD0AZHq7uGJ1RG6zKMGDV3P9X1Cyhr7gFiQZJ36sfsVfmVKtzF_QBF5llrR3HQfabHvC7IgGCXpg&_hsmi=384007955&utm_content=384007955&utm_source=hs_email
I put a ticket into IBM, but got a reply which didn't really give me a straight yes/no answer which I was hoping for! Just wondered if anyone else had experienced this and if you need to take action.
Thanks, James. |
|
| Back to top |
|
 |
| tczielke |
| Posted: Fri Oct 31, 2025 7:24 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 943
Location: Illinois, USA
|
Hi James,
There is a blog post about this topic here.
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
You should ask your CA if they also offer client only certs for mutual TLS authentication. What your CA might be doing is providing the standard server side certificates with only an EKU of server, but also providing a separate client certificate with an EKU of client for customers that need to support mutual TLS. I know other public CAs are doing this.
I would recommend reading the comments in the blog, as there are other useful things being discussed in that blog, too.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Nov 01, 2025 9:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20773
Location: LI,NY
|
| tczielke wrote: |
Hi James,
There is a blog post about this topic here.
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
You should ask your CA if they also offer client only certs for mutual TLS authentication. What your CA might be doing is providing the standard server side certificates with only an EKU of server, but also providing a separate client certificate with an EKU of client for customers that need to support mutual TLS. I know other public CAs are doing this.
I would recommend reading the comments in the blog, as there are other useful things being discussed in that blog, too. |
It's a good thing that as per the blog GSKIT does not care about the type (server / client) so the qmgr to qmgr channels should still be fine....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Nov 03, 2025 6:39 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 943
Location: Illinois, USA
|
| fjb_saper wrote: |
| tczielke wrote: |
Hi James,
There is a blog post about this topic here.
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
You should ask your CA if they also offer client only certs for mutual TLS authentication. What your CA might be doing is providing the standard server side certificates with only an EKU of server, but also providing a separate client certificate with an EKU of client for customers that need to support mutual TLS. I know other public CAs are doing this.
I would recommend reading the comments in the blog, as there are other useful things being discussed in that blog, too. |
It's a good thing that as per the blog GSKIT does not care about the type (server / client) so the qmgr to qmgr channels should still be fine....
|
I personally wouldn't rely on that behavior lasting too long. At some point GSKIT is going to want to start enforcing the EKU, I would assume. It won't look good on a security audit if they are allowing server only EKU certs to connect from a TLS client end.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| jamesb |
| Posted: Mon Jan 19, 2026 10:49 am Post subject: |
|
|
Novice
Joined: 09 Mar 2008
Posts: 20
|
Thanks all for taking the time to reply. I can see that our default certificates we now receive don't have clientAuth for Extended Key Usage. We should be able to request clientAuth info until later in the year, but obviously this is a temporary solution. Is anyone here prepared to share their longer term strategy? Are you going to use certs from another source which contain EKU info or some other way of securing things, move to a different product, etc?
Thanks, James. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 23, 2026 11:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20773
Location: LI,NY
|
Long term you'll need 2 certs for the MQ Server:- One with server key usage
- One with client key usage
Don't forget to set the certificate with client key usage to all of your sender channels...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jamesb |
| Posted: Fri Jan 23, 2026 2:48 pm Post subject: |
|
|
Novice
Joined: 09 Mar 2008
Posts: 20
|
fjb,
Isn't it the case that for Linux QM to Linux QM connectivity, only a single serverAuth cert would be needed for each QM and if there are client connections coming from JMS apps, they would need a clientAuth cert on their client side? IBM stated that they do not check EKU info for QM to QM connections and it would continue to work in this article:
https://community.ibm.com/community/user/blogs/robert-parker1/2025/09/23/ibm-mq-and-extended-key-usage
and your previous comment in this thread mentioned QM to QM would still work with the lack of EKU or have I misunderstood?
Thanks, James. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
