Yes, we did have this conversation last year and yes, you read the docs on the API correctly.  However, as IBM was developing the API, I tossed them the scenario that if a user externally updates a certificate, using the original CSR, then all you should need to do is call the API.  They agreed, and changed the API to add format RNWC0300 to do just that.   Just import the cert and you should be good to go.  This does work with the old DCM.

https://www.ibm.com/docs/en/i/7.4?topic=ssw_ibm_i_74/apis/qycdrnwc.htm

To wit: "If an existing CSR is used when requesting a renewed certificate, then import the renewed certificate and maintain the same key pair using format RNWC0300."

So, it should be simple:  I already have Java code (servlet) with a UI that prompts for all the LetsEncrypt parameters.  It renews the certificate and all I want to do is automate the import of the renewed certificate back into DCM (which I do manually right now).  I don't care if it is a PCML call, a ServiceProgramCall or some other way to invoke the API which by all appearances seems ridiculously easy to  implement (but isn't)....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek

On 4/4/2022 2:32 AM, D*B wrote:
Pete,

we've had this discussion last year, didn't we? reading the old thread and the follow on now, I'm not sure to understand your problem.
Following the ibm docs, I find:

<ibm>
Note: The QycdRenewCertificate API a is a multi-step process API.

The API is called the first time with format RNWC0100 to request a new public/private key pair and receive a certificate signing request based on an expiring certificate.
After the CSR has been sent to a certificate authority (CA) and an issued certificate has been received, the API is called a second time with format RNWC0200 to have the newly issued certificate imported into the system certificate store.
If an existing CSR is used when requesting a renewed certificate, then import the renewed certificate and maintain the same key pair using format RNWC0300.
</ibm>
what about the first two steps?

In your original code, setting up MNW300  (I don't use the very limited and ugly PCML stuff), I don't find setting the offset should be an 4 byte int containing 8; next 4 byte should contain the length of path and file name, followed by the path and file name. This is making up the first parm of the API call, second would be the length of the first parm (length of path and filename + 8), third parm 'RNWC0300', fourth parm an empty array of char with some bytes space (50 or 100) for error information coming back.

D*B



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.