The serial number is part of the certificate. So you cannot change the serial number on an existing certificate.
What you can do is create a new certificate request (./runmqakm -certreq -recreate ...) for the same key (label) and have the certificate authority issue a new certificate for the request.
You can then receive this new certificate into your keystore. If the serial number is not checked in the SSLPEER field, AND you have the same signer chain, then there is nothing to do for your partners.
However I would assume that the cert got revoked because one of the signer certs got compromised, which would mean that you cannot get the same signer chain.
Your partner would then have to update their truststores with the new signer chain, or at the minimum with the new root cert.
Hope it helps
------------------------------
Francois Brandelik
------------------------------
Original Message:
Sent: Fri March 14, 2025 11:27 AM
From: Eric Wolfe
Subject: Serial Number on CRL(Certificate Revocation List) after 2 month of being "received"
They are definitely checking a CRL because that is why the cert is being refused during the SSL connection. I have since been informed that the cert is now revoked on our own CRL. What I would like to figure out is can I do a ./runmqakm -certreq -recreate and have it return a different serial number? Or are we looking at creating an entirely new cert with a different serial number, which would require our customers to update certs as well. Thanks again for your help!
------------------------------
Eric Wolfe
Original Message:
Sent: Fri March 14, 2025 10:18 AM
From: Francois Brandelik
Subject: Serial Number on CRL(Certificate Revocation List) after 2 month of being "received"
Hi Eric,
Indeed using ./runmqakm -certreq -recreate is the way to go.
Your cert has been revoked (CRL) for whatever reason. So you need to get a new one, using the same key. If using the same root and intermediaries for signing the request (i.e. same signer chain), your customers won't have to do a thing, unless they check the cert's serial number (some do!)
Hope it helps.
------------------------------
Francois Brandelik
Original Message:
Sent: Thu March 13, 2025 02:18 PM
From: Eric Wolfe
Subject: Serial Number on CRL(Certificate Revocation List) after 2 month of being "received"
We had the personal/default cert for our MQ expire back in December and we went through the process of getting a new personal cert/root cert/ and signer cert. Things were working fine except for a couple customers and suddenly we started having cert failures with our customers again in February. It turns out the serial number on our new cert was placed on the CRL list just 2 months after getting it. Obviously our cert is not expired but I'm wondering if there is a way to do a "./runmqakm -certreq -recreate" with our existing cert and have a different (valid) serial number assigned? What I'm trying to avoid is having all of our customers go through the same steps they had to do back in December 2024. Some of our customers are other QMs and some are applications like nifi. Any help appreciated.
------------------------------
Eric Wolfe
------------------------------