Thanks Pete... they were installed but not "checked".
As soon as I "checked" them, the cert worked.
I was more-or-less referring to when those to certificates in the chain expire in 5 years. I'm guessing the renewal process is manual?
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Pete Helgren
Sent: Thursday, April 7, 2022 11:29 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: CA Certificates
Greg,
My experience was that the LetsEncrypt certificate chain *wasn't*
installed. So, I imported the LetsEncrypt ROOT, which is ISRG Root X1
and the Intermediate R3. You need them both.
I know you are using FTP but if you went to my website
https://www.peteworkshop.com that uses the LetsEncrypt certificate and
examined it. You'd see that *.petesworkshop.com refers to the R3 public
key and the R3 public key refers to the ISRG Root X1. Without both of
those CA certs installed, the HTTP server on IBM i wouldn't be able to
verify that the certificate for *.petesworkshop.com is a valid, trusted
certificate.
So, the same would apply to FTP. Just go to DCM and check to see if
those two certs are properly installed. If they are you *should* be OK
(in theory).
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek
On 4/6/2022 3:26 PM, Greg Wilburn wrote:
I am using the IBM i FTP client to connect to an external server for the data transfer.
As far as getting the CA certificates in DCM, I'm not sure how/when we installed this particular CA. We are not installing specific certificate chains... just the CA certificate (which was already on there).
Keep in mind that my understanding here is very limited.
midrange.com
