Step 3: Converting Certificate Revocation Lists and Authority Revocation Lists

Step 3: Converting Certificate Revocation Lists and Authority Revocation Lists

This section describes how to convert the Certificate Revocation Lists and Authority Revocation Lists.
Certificate revocation lists (CRLs) and Authority Revocation Lists (ARLs) are available from Certification Authorities in 2 formats:

DER-format
PEM-format

WebSphere MQ V5.3 for Windows platforms allows CRLs and ARLs to be in PEM-format. In WebSphere MQ V6.0, the Global Security Toolkit requires CRLs and ARLs to be in DER-format and you will need to ensure that any CRLs and ARLs that you have in PEM-format are changed to be in DER-format.
Changing the PEM-format CRLs and ARLs can be performed before or after installing WebSphere MQ V6.0.

Changing Certificate Revocation Lists and Authority Revocation Lists into DER-format

Changing PEM-format CRLs and ARLs into DER-format can be achieved in several ways. Two of these are:

obtain replacement CRLs and ARLs in DER-format from your Certification Authority or authorities
use a commercial format conversion tool to convert your existing CRLs and ARLs

For each LDAP server that has been configured to hold CRL and ARL information used by WebSphere MQ, you will need to edit the appropriate LDIF file and update the certificateRevocationList; binary field with the DER-format CRL and ARL data. For further information on configuring and updating LDAP servers with CRL and ARL information, see "Accessing CRLs" in the WebSphere MQ Security book.

Parent topic:
SSL migration steps

mi10420_