1

I have an existing MQ MQI connection (Server-Connection) between an HP Nonstop and a Windows server. I am working on configuring the queue manager for SSL on the Nonstop. I have followed a couple sources available on net closely but am still confused about a few things.

The Stash.sth file, I have not gotten the following command to work:

openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem

I get an "Error unable to get local issuer certificate chain."

The SSLUpdate.pdf document that is delivered with MQ mentions creating the Stash.sth file using:

amqrsslc -s cert (cert being the trusted certificate store), and this DOES work for me.

However, it also says "The amqrsslc command will prompt for the private key pass phrase used when creating the certificate/key pair and will write a masked copy of that pass phrase to the Stash.sth file"

If I should have specified the same pass phrase earlier, where should I have done that?

When I created the private key? Should I have specified a -passin or -passout parameter? All I used was openssl genrsa -out privatekey.pem 2048 -sha256

Or, when I generated the certificate request? There is a prompt to enter an optional password. Or neither? Is the pass phrase used when creating the Stash.sth file completely arbitrary?

Thanks for any help!

JoshMc
  • 10,239
  • 2
  • 19
  • 38
yodish
  • 733
  • 2
  • 10
  • 28

1 Answers1

0

The error usually means the list of trusted certificates is not complete.

I think you need to be sure you certificate chain is complete.

Here is from the technote:

If the certificate request is signed by an intermediate certificate, the certificate chain for the signed personal certificate will need to be added to the trust.pem file. You need to add the root certificate and the intermediate to the trust.pem file. Review create_trust_file.sh script for the syntax.

I also think this presentation document may be helpful to you.
http://www-01.ibm.com/support/docview.wss?uid=swg27023472&aid=1

ValerieLampkin
  • 2,620
  • 13
  • 27
  • Thanks Valerie, i've gone over that presentation and the IBM doc you quoted dozens of times. The certificate chain I downloaded from our internal CA was in .p7b format. I converted that to .pem and ended up with the signer, intermediate and root certificates. I've tried creating the trust.pem file in multiple ways but always end up with that error. – yodish Mar 24 '17 at 17:27