Migrating MQ certificates

The IBM MQ certificates that you generate after the November 2020 release can be revoked. Though you can use both the set of certificates but cannot revoke the IBM MQ certificates that are generated before the November 2020 release. You must gradually migrate to the new IBM MQ certificates.

To migrate IBM MQ certificates, complete the following steps.

1. Create new certificates for each system that is configured with inbound IBM MQ access.
2. Click Apply changes and configure the external system with the new certificate.
   In the Apply IBM MQ certificate page, select the date and time at which you want to start applying the certificates for your IBM MQ servers.

   Note: If you select a date prior to the current date, the process to apply changes is started immediately.

   When you apply the IBM MQ certificates on the IBM MQ servers, the SSL enabled channels are cycled and all IBM MQ clients need to reconnect. Therefore, you might want to schedule this action for a low volume period of the day to minimize the impact of connections being reestablished.

   When the change is scheduled, you can view it as a process in the queue. The following two processes are run according to the schedule.

   1. The first process applies the new certificate to the truststore of IBM MQ.
   2. The second process refreshes the IBM MQ security and the channel bounces.
3. Validate connectivity from the external system to the IBM MQ server.
4. After all external systems are migrated to use new certificates, open a skills case with IBM to remove the MQ CA certificate for the given environment.
5. After the MQ CA certificate is removed from the environments of the IBM MQ server, all older MQ client certificates will stop working.