My guess is that at some point, maybe already, IBM will have the LE roots installed and maintained by them as they do other well-known CA roots.
So, if the renewal is "automatic" and you FTP back to IBM i, then all you need to do is to point to the IFS location and use "renew" manually in the old DCM. At some point, I am going to get the DCM API working and will share the implementation, as well as use it in my servlet and update Jesse's repo. Then you might be able to leverage it in a script to automate the whole tamale.
In my particular case, I have a few wildcard certs so have to use the DNS-01 Challenge type to renew. I have automated that step of generating the TXT record in GoDaddy as well. Just need to get that "import/renew" feature of the DCM API figured out.
You said: "I just need the IBM i to accept the new cert from within the FTP client." I am not sure what your expectation is with that statement. There are only two ways I can think of to get a new certificate updated in DCM: The manual method of using the DCM UI to select and import the file. Or, using the DCM API to directly import the file (which I am try to get to work). How are you updating DCM currently?
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek
On 4/5/2022 8:58 AM, Greg Wilburn wrote:
The CA I'm working with is Let's Encrypt!
Just to be clear... this is for the IBM i as the CLIENT, not the server.
Our external FTP server is hosted somewhere in the fog (I mean cloud), and is using Let's Encrypt to auto-renew the certificate before it expires every 90 days (it has yet to work). I just need the IBM i to accept the new cert from within the FTP client.
I have the root certificates installed and enabled, but they expire in 2025.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.