Re: SSL certificate renewal

My somewhat limited experience on this subject is that you cannot new an expired certificate. Now that it's expired you must request a new certificate.

Thanks,

Ray Baraniecki
Morgan Stanley GWMG
18th Floor
1 New York Plaza
New York, NY 10004
Office - 212-276-5641
Cell - 917-597-5692
Ray.baraniecki@xxxxxxxxxxxxxxxx
BE CARBON CONSCIOUS. PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS E-MAIL.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@xxxxxxxxxxx] On Behalf Of Mark Pace
Sent: Tuesday, June 02, 2009 2:28 PM
To: IBM-MAIN@xxxxxxxxxxx
Subject: Re: SSL certificate renewal

I don't see how you would go about changing the end date. I would assume
that is the purpose of renewing the certificate.

On Tue, Jun 2, 2009 at 2:12 PM, Michael Saraco <
michael.saraco@xxxxxxxxxxxxxxxxxxx> wrote:

I have never tried it with an expired cert but have you tried to change
the end date in the expired cert yet to see if that fixes your problem.
When creating certs I always change the expire date to something way out
there so I do not have problems.


Michael Saraco
Systems Consultant
303-838-3374 x115
Cell 507-525-0530



From:
Mark Pace <mpace58@xxxxxxxxx>
To:
IBM-MAIN@xxxxxxxxxxx
Date:
06/02/2009 01:05 PM
Subject:
Re: SSL certificate renewal
Sent by:
IBM Mainframe Discussion List <IBM-MAIN@xxxxxxxxxxx>



Yes - all my users receive the certificate, and that is why I had hoped to
renew it with the same key, so I would not have to send out a new cert to
all the users. It's looking more like I will have to generate a new
certificate and send it out.

On Tue, Jun 2, 2009 at 1:56 PM, Richard Peurifoy
<r-peurifoy@xxxxxxxxxxxx>wrote:

Mark Pace wrote:

Trying to follow the directions in the RACF manual to renew a
self-signed
certificate that expired.

A display for ID TN3270

Label:TnServerCert
Certificate ID:2Qbj1fPy9/DjleKFmaWFmcOFmaNA
Status:TRUST
Start Date:2008/05/30 00:00:00
End Date: 2009/05/30 23:59:59
Serial Number:00
Issuer's Name:CN=zos19.OU=IT.O=Mainline.C=US
Subject's Name:CN=zos19.OU=IT.O=Mainline.C=US
Private Key Type:Non-ICSF
Private Key Size:1024
Ring Associations:
Ring Owner:TN3270
Ring:TNRING

So I see it exists and it's expired.
Next create a certificate request based on the old certificate.
*racdcert id(TN3270) genreq(label('TnServerCert'))
dsn('ibmuser.cert.req')*
This executes and creates the IBMUSER.CERT.REQ file.

Then renew and replace the certficate.
*racdcert id(TN3270) gencert('ibmuser.cert.req')
signwith(label('TnServerCert'))
*
*IRRD107I No matching certificate was found for this user.*

I can't figure out why it says this certificate is not found, when I
clearly
displayed it earlier.


I think you need "signwith(id(TN3270) label('TnServerCert'))",
however, I have never tried signing a cert with itself, so I
don't know if this works.

Do others have a copy of this cert on their TN3270 clients,
or do they just accept a self-signed cert?

If they just accept the self-signed cert, just create a new
one.

Alternatively, you could create a signing cert with a long
End Date and use that to sign your cert. If the clients have
a copy of your cert, just give them a copy of your signig
cert to use as the CA for your TN3270 cert.

--
Richard

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html




--
Mark Pace
Mainline Information Systems
1700 Summit Lake Drive
Tallahassee, FL. 32317

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html




--
Mark Pace
Mainline Information Systems
1700 Summit Lake Drive
Tallahassee, FL. 32317

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--------------------------------------------------------------------------
Important Notice to Recipients:
It is important that you do not use e-mail to request, authorize or effect the purchase or sale of any security or commodity, to send fund transfer instructions, or to effect any other transactions. Any such request, orders, or instructions that you send will not be accepted and will not be processed by Morgan Stanley Smith Barney.
The Global Wealth Management Group of Morgan Stanley & Co. Incorporated and the Smith Barney division of Citigroup Global Markets Inc. have combined into Morgan Stanley Smith Barney LLC, a new investment adviser and broker-dealer registered with the Securities and Exchange Commission. The sender of this email is an employee of Morgan Stanley Smith Barney.

Important disclosures on Morgan Stanley and Citi Investment Research & Analysis research reports may relate in part to the separate businesses of Citigroup Global Markets Inc. and Morgan Stanley that now form Morgan Stanley Smith Barney LLC. To view these important research disclosures, go to http://www.morganstanley.com/researchdisclosures and https://www.citigroupgeo.com/geopublic/Disclosures/index_a.html.

If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

Relevant Pages

  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Activesync between Windows Mobile 5 and SBS2003 gives error
    ... If you don't find a cert here that matches the URL for OWA, you need to re-run the CEICW wizard on the SBS box and re-create the self signed cert. ... I exported the certificate straight from the server. ... Treo 700wx running Windows Mobile 5. ...
    (microsoft.public.windows.server.sbs)
  • Re: Dummies Guide for RADIUS/Certs
    ... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
    (microsoft.public.internet.radius)