Reasons and remedies for failed certificate transfer
This section gives some reasons and classifications for a failed certificate transfer and how to remedy some of them.
The AMQTCERT command has 2 classifications for why certificates fail to be transferred:
Orphan Certificates
Orphan certificates do not have a complete certificate chain. When the AMQTCERT command detects an orphan certificate, it:
- creates an OrphanCertificates subdirectory in the directory containing the key database file if one doesn't exist already
- exports personal certificates into .pfx files
- exports certification authority certificates into .cer files
- outputs an error message to the amqerr01.log for each orphaned certificate, identifying the file, the certificate, and its issuer
To remedy this situation you will need to use the Global Security Toolkit to import the certificates missing from the orphaned certificate chain in strict order from root certification authority to the issuer of the orphaned certificate. Then import the orphan certificate from its file. For more details on how to do this see the WebSphere MQ V6.0 Security book.
Failed Certificates
Failed certificates fail to transfer for reasons other than incomplete certificate chains, for example, the certificate having become corrupted. When the AMQTCERT command detects a failed certificate, it:
- creates an ImportFailedCertificates subdirectory in the directory containing the key database file if one doesn't exist already
- exports personal certificates into .pfx files
- exports certification authority certificates into .cer files
- outputs an error message to the amqerr01.log for each failed certificate, identifying the file, the certificate, and its issuer
To try to remedy this situation we can get a new copy of the certificate from the certification authority. You will then need to use the Global Security Toolkit to import the certificates in strict order from root certification authority to the personal certificate. For more details on how to do this see WebSphere MQ V6.0 Security.
Parent topic:
Using the AMQTCERT (Transfer Certificates) command
mi10410_