Renewing mini-certificates

The certificates issued for an entity by the mini-certificate issuance service are valid for one year from the date of issue and it is advisable to renew them before they expire. Renewed certificates are obtained from the same mini-certificate issuance service. Before requesting a renewal, the request must be authorized with the issuance service and a one-time-use certificate request PIN obtained, in just the same way as for the initial certificate issuance. When you use the server to obtain the PIN for renewal, remember that you are updating the entity, not adding it.

When a certificate is issued for an entity, a copy of the mini-certificate server's own certificate is issued with it. This is needed to check the validity of other certificates. With versions of MQe earlier than 1.2, the certificate server's certificate could expire before the entity's certificate. If this happens you can renew the server's certificate by requesting a renewal of the entity's certificate; a new copy of the mini-certificate server's certificate will be returned along with the entity's certificate. From mini-certificate server Version 1.2, the mini-certificate server's certificate will expire later than the entity's certificate.

The class com.ibm.mqe.registry.MQePrivateRegistryConfigure contains a method renewCertificates() which can be used to request renewed certificates. This is used in the example program examples.certificates.RenewWTLSCertificates, which implements a command-line program that requests renewed certificates from the issuance service

The program has four compulsory parameters:
RenewWTLSCertificates <entity> <ini file> <MCS addr> <MCS Pin>
where:
entity
is the name of the entity for which a renewed certificate is required. This should be either a queue manager, a queue or other authenticatable entity. The name of a queue should be specified as <queue manager>+<queue>, for example myQM+myQueue.
ini file
is the name of a configuration file that contains a section for the registry. This is typically the same configuration file that is used for the queue manager. For a queue, this typically the configuration file for the queue manager that owns the queue.
MCS addr
is the host name and port address of the mini-certificate server (for example: myServer:8085)
MCS Pin
is the one-time use PIN issued by the mini-certificate server administrator to authorize this renewal request.

Terms of use | WebSphere software

(c) Copyright IBM Corporation 2004, 2005. All rights reserved.