View Only
  • 1.  SSL Expiration: SSL Update

    Posted Thu September 14, 2023 10:09 AM


    I have an IBM MQ 9.1 setup with 2 queue managers on one host. Today my SSL bundle expired. I got reissued another cert because the CA said it was their fault. I am looking throughout the documentation and it looks like I have to build a pk12 certificate. But I was told I could just runmqakm and add each of the .pem certificates into my current keystore. Is this all that there is to update my SSL? It sounds to easy in an IBM MQ kind of world to believe.

    Wei Mei

  • 2.  RE: SSL Expiration: SSL Update

    IBM Champion
    Posted Fri September 15, 2023 01:29 AM

    Hi Wei Mei,

    Once you have added the certificates into your keystore you will need to tell the queue manager to take a new look at the contents of its keystore. You can do this either by recycling the queue manager or by issuing the MQSC command REFRESH SECURITY TYPE(SSL).


    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited

  • 3.  RE: SSL Expiration: SSL Update

    IBM Champion
    Posted Fri September 15, 2023 01:56 AM

    Hi Wei Mei,

    I would start by taking a copy of your current CMS keystore (key.*) files. Work with the copies in case something goes wrong. Once you've got things properly in place, replace the original files with the updated copies (after taking another copy of the originals).

    Depending on whether the CA issuer certificate or your queue manager personal certificate has expired, you may need to use different commands in runmqakm.

    For a new issuer or root cert (if that what's in the new bundle) you need to use -cert -add.

    For a replacement queue manager (personal) certificate, I think you need to use -cert -receive,

    If you have received both new issuer (and perhaps root) certs as well as a new personal cert for the queue manager, you will need to extract the certificates from the certificate bundle into a separate file (normally .pem) for each certificate and either add or receive each one (depending on what type of certificate it is).

    I haven't done certificate update for a while. My customers generally replace the whole certificate including the key, and so we create a new key/cert pair each time we renew. It's possible that you will need to runmqakm -certreq recreate before you can merge the new certificate into the kdb using -cert -receive.


    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-22

  • 4.  RE: SSL Expiration: SSL Update

    Posted Fri September 15, 2023 09:09 AM

    Thank you. Our personal cert did not expire yet, it was an expiration of the root ca and subsequent change from to stop using a cross signed ca. They were provided to me as one bundle, I broke them up into two separate certs as suggested by mq support and added them each individually with the same command below.

    What I did to add the new ca and subca provided to me by

    runmqckm -cert -add -db 

    I then ran the validate and got an "ok" printed on the screen.

    runmqakm -cert -validate -label

    Wei Mei

  • 5.  RE: SSL Expiration: SSL Update

    Posted Fri September 15, 2023 09:25 AM

    Just a usability note. runmqckm is a Java tool. runmqakm is a C executable. I prefer to use runmqakm as it runs a lot faster than runmqckm.

    Tim Zielke

  • 6.  RE: SSL Expiration: SSL Update

    Posted Fri September 15, 2023 09:28 AM

    Thanks, I run everything from the command line and wait for changes so speed is not an issue to me. I ran what was specified of me from my MQ engineer. If there is no difference other than preference, I'll likely just run what is directed of me in the future as well.

    Wei Mei

  • 7.  RE: SSL Expiration: SSL Update

    IBM Champion
    Posted Fri September 15, 2023 11:11 AM
    You might want to delete the old one, then add the new one ... just to be sure

  • 8.  RE: SSL Expiration: SSL Update

    IBM Champion
    Posted Mon September 25, 2023 11:42 AM


    Do you have the syntax for inserting a pem file in the key database?

    I normally use runmqckm commands.


    Just a suggestion:

    Create a label for each cert which includes the CA name and the expiration date.

    Sort of like:  baltimoretrustrootca_08202025

    Then when you list the certs in the kdb file you can easily see the expiration date.


    Procedure I use:

    • Backup the keystore
    • Insert the new cert with the new expiration date
    • Check the attribute in the queue manager properties "certificate label" and change it necessary to the new label
    • Recycle the queue manager
    • Delete old cert after one week



    IBM Champion



  • 9.  RE: SSL Expiration: SSL Update

    Posted Tue September 26, 2023 03:09 PM

    Thanks everyone, I was able to upload the new CA and subCA. Luckily in this instance my Personal certificate has not expired yet so I did not need to update that one. I will be back when that time nears.

    Wei Mei