Hi Tom,
It looks as if you'll have to import the root and intermediate certificates
into your trust store first, as Chris Bipes mentioned, and then attempt the
import of the pfx file again.
One of the certs they gave you is probably the root (signer) certificate, as
well as the intermediate certificate. If you don't know which one is the
root certificate, you can always visit a website that already has the same
SSL certificate installed. Firefox makes it very easy to inspect the
certificate chain. I use it sometimes to save root certificates and then
import them into DCM. The following link will show you how to use Firefox to
inspect the certificate chain, if you haven't used it before:
https://support.mozilla.org/en-US/kb/secure-website-certificate
-----------------------------------------
Jacob Banda
-----------------------------------------
-----Original Message-----
date: Tue, 9 Mar 2021 03:33:25 +0000
from: Tom Hightower <tomh@xxxxxxxxxxx>
subject: RE: How do I import .crt certificate that was generated by
csr on another system?
You guy are great!
I've received a zipfile with the files, and I've gone most of the way
through the import. However, at the point where I actually import the
certificate (after entering the password for the pfx fiels), I'm getting
this error:
An error occurred during certificate validation. The issuer of the
certificate may not be in the certificate store or the issuer may not be
enabled.
I'm not sure what to do to correct for the error.
Additional files in the zip are:
AAACertificateServices.crt
AddTrustExternalCARoot.crt
comodo-nnnnnn.zip
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt
USERTrustRSAAddTrustCA.crt
We've been running SSL certificates on our 400 for many years, just having
issues getting this pfx up and going.
Thanks in advance
TomH
-----Original Message-----
From: Tom Hightower
Sent: Tuesday, March 2, 2021 11:28 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: How do I import .crt certificate that was generated by csr on
another system?
I've asked for and they've provided a zip with several files, including:
cert-req.txt
pfx-password.txt
star_company_com.cer
star_company_com.jks
star_company_com.crt
star_company_com.pfx
They want me to tie the cert to their SSL web server, their non-SSL web
server and FTP (those are already secured with a soon-to-expire cert)
Blessings
TomH
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Jacob
Banda
Sent: Monday, March 1, 2021 5:32 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: How do I import .crt certificate that was generated by csr on
another system?
I THINK this is what you're looking for:
https://www.ibm.com/support/pages/how-import-certificates-p12-or-pfx-extensi
ons
First question: is the file password protected?
Second question: did they give you the private key?
Third question: what exactly does your netadmin mean by "tie it to their
secure website"? Are you hosting a webserver on your 400 for employee
access?
What Brad mentioned is how I've done it as well. But the details of what
exactly they gave you will help a bit more. Typically if you're going to
import SSL certificates, you'll import the whole chain including the private
key bundled in the PKCS12 format (which should be password protected). Since
you didn't generate the CSR, you don't have the private key on your 400, and
hence you can't use just the wildcard public certificate for enabling SSL on
your 400 apps. You'd need the private key from the machine that generated
the CSR as well.
The only other alternative I can think of is that they intended to give you
the Signer (Root) Certificate of their wildcard cert, so that way you could
import it in DCM and then your 400 would trust their site(s).
Have you tried double clicking the file on a Windows machine to see what
metadata comes back, or opening it in notepad?
-----------------------------------------
Jacob Banda
-----------------------------------------
------------------------------
Subject: Digest Footer
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) digest list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://amazon.midrange.com
------------------------------
End of MIDRANGE-L Digest, Vol 20, Issue 331
*******************************************
midrange.com
