MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Update SSL certificates monthly

    Posted 3 days ago
    Members of the Certificate Authority/Browser Forum have voted to shorten the lifespan of SLS/TLS certificates to just under seven weeks. The changes will roll out gradually over the next several years until March 2029, when certificate lifetimes will be limited to 47 days. While the organization has argued that shortening the duration of the certificates' viability will improve security, others point out that the entities issuing the certificates will benefit financially from the changes. While no members of the CA/Browser Forum voted against the move, five members abstained from voting.
     
    On March 15, 2026, the maximum lifecycle will be 200 days, requiring six-month renewals, and on March 15, 2027, it shrinks to 100 days, requiring 90 day renewals. Finally on March 15, 2029, the interval shrinks to 47 days, with an expected monthly renewal. At this point the move is to automate all SSL/TLS certificate renewals. Find servers and appliances you're not currently automating certificate management for and work with your suppliers for solutions while you have a bit of time; March 2026 isn't that far out for making changes to business and other high stability services. Find out the certificate interval where you have automation; you may be surprised how rapidly you already are updating certificates.
    In light of this, what are others doing to prepare for monthly update of SSL certificates on IBM MQ Queue managers in production?


    ------------------------------
    Anthony Julian
    Technical Specialist II
    Mayo Clinic
    Rochester MN
    5072545963
    ------------------------------


  • 2.  RE: Update SSL certificates monthly

    Posted 16 hours ago

    General
    The browser forum only talks about public (browser) certificates but the reasons/arguments they use for their change on the expiration duration also apply to private (M2M) certificates. So how will the CA's react for duration times on private certificates ?

    MQ
    We have an internal CA and have an automatic enrollment to our (internal) applications that connect to MQ. We trust the CA and have a specific certificate name on every MQ channel (each application has its own certificate on its own MQ channel). So certificates are unique per application and auto enrollment makes it that the expiration either 365, 200, 100 or even 47 days doesn't matter (IF we are going to follow those external expiration dates of the external CA's with our internal CA). That's for our MQ 

    Other IBM products
    I am more interested in Datapower auto-enrollment of certificates. Is IBM planning for the possible implementation of some auto-enrollment protocol ? (SCEP, EST, ACME?)
    My primary interest is about the IBM products Datapower & Security Verify Access (both are heavy users of certificates) and what IBM plans for the auto-enrollment are



    ------------------------------
    ST Integratie
    Dienst Uitvoering Onderwijs
    ------------------------------

    Original Message


Related Content