Hi, I can't (won't!) answer the first question, beyond that root certificates should last an order of magnitude longer than end-users.
If you have a number of queue managers, managing them with self-signed certificates can become a nightmare. To add/renew one certificate would then require you to change every connected queue manager's key repository. The best way forward is to introduce a Certificate Authority. It is well worth putting in the effort to become familiar with PKI. OpenSSL (www.openssl.org) is a good open resource for playing with PKI/SSL. You can then introduce a CA and its root PKI certificate. Each key repository then needs its queue managers key pair and certificate plus a copy of the root certificate. With a CA, adding a queue manager, or replacing an end-user certificate, involves changes to only its key repository. Other queue managers will accept the new certificate, because it has been signed by the CA. When the CA time is up (or at least 6 months before), you will need to create a new CA, and distribute its root certificate across all the participating queue managers. Once they all know about the new CA, you can then begin replacing queue manager keys & certificates, one at a time. Alan -----Original Message----- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Lawrence Coombs Sent: 23 April 2004 17:54 To: [EMAIL PROTECTED] Subject: Re: SSL and certificate expiry Anyone care to share the lifetime they assign to a certificate used by a queue manager that has SSL channels? Also, how do you handle certificates expiring when a OS/390 queue manager communicates with many distributed queue managers? Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
