| Author |
Message
|
| neocruz |
 Posted: Tue Aug 16, 2011 10:27 am Post subject: Request/Renew Qmgr Cert with changes |
 |
|
Acolyte
Joined: 13 Jun 2004
Posts: 54
|
I've performed searches and can't find an answer.
On my Windows system, I have a Qmgr personal Cert that will expire in 30 days. Our standards have changed and I must use a size of 2048 instead of the original requested size of 1024. Recreate request will ask for the incorrect size, of 1024, for the certificate.
When I try to generate an original request, using the size 2048, I get an errror that says the lable already exists in the database. This is True.
How do I get around this?
MQ V6.0.2.2
Windows 2003 R2
Thanks in Advance.
_________________
Rich |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Aug 16, 2011 10:33 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Create a new keystore. Generate the request there. Receive the certificate into that keystore.
Then either use the new keystore or export/import the new, larger, cert into the old keystore. |
|
| Back to top |
|
|
| neocruz |
| Posted: Tue Aug 16, 2011 10:44 am Post subject: |
|
|
Acolyte
Joined: 13 Jun 2004
Posts: 54
|
Thanks Jeff.
Not "my" first choice but....if I choose to import the larger cert into the old keystore,once received into the new keystore, how much of a pain is that?
1. I can import it without a request being there?
2. What will happen to the old personal cert? Delete it first then import?
3. I take it there are no changes to be made if I stay with the same cypher, etc?
4. Basically, what process would you recommend?
Again, thanks for your help.
_________________
Rich |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 16, 2011 11:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| mqjeff wrote: |
Create a new keystore. Generate the request there. Receive the certificate into that keystore.
Then either use the new keystore or export/import the new, larger, cert into the old keystore. |
Is just importing the larger cert into the keystore enough? Don't you need to import as well the corresponding private key into the keystore?
I thought the signed cert contained only the public key? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 16, 2011 11:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| mqjeff wrote: |
Create a new keystore. Generate the request there. Receive the certificate into that keystore.
Then either use the new keystore or export/import the new, larger, cert into the old keystore. |
Is just importing the larger cert into the keystore enough? Don't you need to import as well the corresponding private key into the keystore?
I thought the signed cert contained only the public key? |
There's a difference between "export/import" and "extract/recieve".
 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 16, 2011 11:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
 I think I got confused for a minute there. Thanks for setting us all straight.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Aug 16, 2011 12:22 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Life can be made easier by having an A and B key store. If A is the 'current' key store you generate a new certificate request in the B key store, receive the signed certificate, 'flip' the SSLKEYR attribute of the queue manager, and refresh security (SSL stylee). if it works, clear out the A key store ready for next year - if not, 'flip' it back to the A key store and sort the problem. Rinse and repeat...
Elegantly simple, and if you script it you can use a parameter file to feed in the values of key length, DN values etc., and cater for changes year on year.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Wed Aug 17, 2011 2:43 pm; edited 1 time in total |
|
| Back to top |
|
|
| neocruz |
| Posted: Wed Aug 17, 2011 5:27 am Post subject: |
|
|
Acolyte
Joined: 13 Jun 2004
Posts: 54
|
Thanks to everyone for your help.  
_________________
Rich |
|
| Back to top |
|
|
|
|
