SSL certificates and certificate chains

 

This section explains what SSL certificates are, what a complete certificate chain is and why WebSphere MQ certificate stores need them.

Personal certificates (certificates issued to an individual or a company) can be used by queue managers and WebSphere MQ clients to uniquely identify themselves when they are involved in starting an SSL connection.

Certification authority certificates are used by queue managers and WebSphere MQ clients to verify the authenticity of any personal certificate they receive during an SSL handshake (certification authority certificates are sometimes referred to as Certification Authority (CA) or signer certificates in other WebSphere MQ documentation.)

Each personal certificate has zero or more certificate chains of certification authority certificates that extend back to the root certification authority.

For example: 

Certificate R (Root Certification Authority)
    |
    | represents issuer of
    V
Certificate I1 (Intermediate Certification Authority)
    |
    | represents issuer of
    V
Certificate I2 (A subsidiary Intermediate Certification Authority)
    |
    | represents issuer of
    V
Certificate I3 (A further subsidiary Intermediate Certification Authority)
    |
    | represents issuer of
    V
Certificate P (A personal certificate that is used to identify its owner 
               on an SSL handshake)

Certificate chains are used to verify the authenticity of each certificate in that chain, including the personal certificate. Each certificate in the chain is validated using its 'parent' certificate, which in turn is validated using the next certificate up the chain, and so on, from the personal certificate up to the root certification authority certificate.

The Global Security Toolkit (provided by WebSphere MQ V6.0) promotes good certificate housekeeping by automatically verifying the authenticity of any personal certificate it manages. For this reason, it requires a complete set (or chain) of certification authority certificates to be stored with each personal certificate.

WebSphere MQ V5.3 on Windows allows personal certificates to be held in certificate stores without a complete certificate chain. If you attempt to migrate such certificates to a Global Security Toolkit key database this migration will fail, and your SSL channel connections will no longer work.

 

Parent topic:

Step 1: Ensuring WebSphere MQ certificate stores contain complete certificate chains


mi10280_