Hi Steve,
I ran your program (need I say that it is very cool?)
Just to be clear: I didn't write the program. It's an open source tool
called OpenSSL. You can get the source code for it from
http://www.openssl.org
In fact, IBM has a licesned program (5733-SC1) that lets you install
OpenSSL into PASE on your System i5.
I just provided the link because I thought it'd be easier for you to
download a pre-compiled copy for Windows than it would to order the
licpgm from IBM, or to try to compile the OpenSSL source code on your PC.
and got some information back regarding 'Certificate chain' with
> some /CN entries followed by a certificate (which is different
> than the certificate that was sent to me originally by this company).
Yes, the certificate chain area is the right area. You see,
certificates follow a chain pattern. The server's certificate has a
cryptographic signature that points to the issuer's certificate, which
in turn can have a signature that points to a higher-up issuer, and so
forth. Thus creating a "chain of certificates".
In a normal situation, there will (at least) be two certificates in the
chain. you'll see something like this:
Certificate chain
0 s:/C=US/ST=Wisconsin/L=Milwaukee/O=Klement Sausage Co,
Inc/CN=as400.klements.
com
i:/C=US/ST=Wisconsin/O=Klement Sausage Co, Inc/CN=local
The first line after "Certificate chain" starts with a 0. This tells
you that it's the first certificate in the chain (they're numbered
starting with 0 instead of 1).
the S: line tells you who the certificate is for. C=Country, ST=State,
L=Locality(City), O=Organization, CN=Common Name (the server's name).
The I: tells you about the issuer. Country, STate, Organization, etc.
The CN in this example is "local" because it was issued from the local
certificate authority of my DCM.
Those fields are just informational fields, anyway.. so yours may be
verify different. Though, the CN of the first certificate should match
the site you connected to. (Many programs will complain loudly, otherwise.)
That informational stuff is followed by a base64 encoded representation
of the actual cryptographic certificate:
-----BEGIN CERTIFICATE-----
MIICwjCCAaqgAwIBAgIHRFj22ggVODANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQG
EwJVUzESMBAGA1UECBMJV2lzY29uc2luMSAwHgYDVQQKExdLbGVtZW50IFNhdXNh
Z2UgQ28sIEluYzEOMAwGA1UEAxMFbG9jYWwwHhcNMDYwNTAyMTgzMDUwWhcNMDcx
MDAyMTgzMDUwWjB0MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2luMRIw
EAYDVQQHEwlNaWx3YXVrZWUxIDAeBgNVBAoTF0tsZW1lbnQgU2F1c2FnZSBDbywg
SW5jMRswGQYDVQQDExJhczQwMC5rbGVtZW50cy5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAMQhyzKh5NdNUjGHxdtJq/1pTkBxe92xz7euXab/m/krtNvW
WVRqqUnSnp70Yru8Nh+WSl8IwhT5jFxsd74swVSWJTmv0fyXEHez698cFfPtESce
Me+8NiHnTDsNKscoWOJJMnPee6E2TxGcx0Y+QW6H+wjdh7Id5e9xS45OLzXZAgMB
AAEwDQYJKoZIhvcNAQEEBQADggEBAH1waYPbinzWRPpB0b9N67DW7PNTDIs9qJom
c4NOTqqQ36dtwo/tIozdHi2yEGN0J5yhxYEIR6P3qIdkvg8nyyD+Xth03W2WGjSf
w8CVOHsal2qOdhonAUO0y3dG1Y8DAUd5gFKeZEbA6rB9KJ3lPNsvRwFuYALUrZzQ
vabP8HRllN/4bscp9aoJ21gVfOzc8zsT9C5SAEKFVr4ZO+zE8jDAtoonmzzoGujL
GejVrBfJJpHtpD0A9hKd20auyobmSw9L5B7SebsNhZI+W83hLSadbP0u3aO7H0ug
KFCeLU0006J/cnWEpGpAumUT14QRNOD/0cG6sdVF75Lzbg7ahzY=
-----END CERTIFICATE-----
The next certificate in the chain will be #1, and it should be the
crytpgraphic signature of whomever issued certificate #0. And so forth.
In some cases, it might be a well-known authority (like VeriSign or
Thawte) in other cases it might be what they call a "self-signed"
certificate. That is, a certificate issued by a private organization
just to enable SSL. (That's more likely to be the case in your environment)
1 s:/C=US/ST=Wisconsin/O=Klement Sausage Co, Inc/CN=local
i:/C=US/ST=Wisconsin/O=Klement Sausage Co, Inc/CN=local
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIEQRJsSDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJV
UzESMBAGA1UECBMJV2lzY29uc2luMSAwHgYDVQQKExdLbGVtZW50IFNhdXNhZ2Ug
Q28sIEluYzEOMAwGA1UEAxMFbG9jYWwwHhcNMDQwODA0MTcyMDA4WhcNMjQwNzMx
MTcyMDA4WjBTMQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2luMSAwHgYD
VQQKExdLbGVtZW50IFNhdXNhZ2UgQ28sIEluYzEOMAwGA1UEAxMFbG9jYWwwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbOGzsQ2J8a8j63/qWCGPRdZ+3
R5S90f7sAFXyD6cJBOeI9YmLkFyZ9teWUT6sYRLajNsP0LSEMKnPN2BBNoVqI9iX
tECuU+mx3MHN5T1hZmkJws8zL8SIY5nSqqZ6CDLa3D2LvWeKJy28qark6/wYWaX6
JkJKDwspssLpctuRqhtshA0DGDlCOmZM+JZdkjkKR32HGO6lpOSuS+2l6n7DM0yq
KH1ibx4td0Y62MC9jeAg2qjs9BBtW3W6e18SkmcYzfXgBJoOBC8kKm/pOZ9uKgcf
I7aVIBGZ/DxGlZ/GosSdExL7QUbPdeD+5SmeeAihnavDP3BOyqjBslyH9EVhAgMB
AAEwDQYJKoZIhvcNAQEEBQADggEBABRM99FaqDGer99SJd66qnU3dO/ReiNoQLCC
2IOqlCZKJ4mK9aY1cXt7wFpVs+7q4YGb9kI6ZXa4SjnRdZfvOEvVKLE2xY4bY7Bf
AwwlWmf/VeiobecAHixM/SOng9rLqgIDvCQ+XAAd4ePPX1FsorR/FRfwAo/xk9qT
ajTnxN2c5rOEsuobP5tmaGXf/SBtITQ1LKVnvJdSm2WGZ5VBIfuinYSNc6N4PRRJ
3s+u2qO/CqvCrrWyAh8KxBwgPMKzqFEwJOFBY8ISWomkCjiYQZ7w4qMh1dgwB+Yw
DZflRC8ImXolHga18gLi8AfTLdPAYNybFaqZ9QEsEqfmC0djLa4=
-----END CERTIFICATE-----
> Does this mean that there is no signing certificate? Would this be a
> self-signed certificate?
Notice that the preceding certificate has the same S: and I:, because
the certificate is self-signed. That means that the preceding
certificate would have to be installed into the DCM as a CA certificate
before you could possibly make an SSL connection to the
as400.klements.com server that the preceding cert chain was received from.
So the first certificate in the preceding cert chain was the server's
certificate, and the second one is the self-signed issuer (CA)
certificate. Make sense?
It's also possible (but a bad idea, IMHO) for someone to use the same
certificate for both the CA and server certificate. In which case the
cert chain would only have a certificate #0, and no #1. If that's the
case, then the #0 certificate would have to be installed into the DCM.
midrange.com
