× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. June 2019

Re: Wrestling with SSL Cert

Apologies for this being out of sequence - previous version rejected by the list. Oh how I wish the list would let me specify alternate emails!

Continuing the saga ...

According to the IBM site (and folks here) I probably needed to add the CA to the store.

The instructions say to Import the CA Certificate - which I did by using the bundle file I was sent (I assume that is the right file) but I get an error message saying "An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled." well adding them to the store was what I was trying to do so this error makes no sense to me.

What the heck am I doing wrong here?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 5, 2019, at 10:28 AM, Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

Thanks for the link Pete - I was wondering how the heck to check.

There are two certs in the bundle and these are the details.

It would seem that the issue is that although some of the correspondence said Comodo the cert is associated with their new name Sectigo.

So that explains why they are not active as a CA in the store - but that doeswn'rt explain why the DCM errors out when I try to add them as a CA.

I understand the basics behind all this - but surely IBM could make it easier than this!

Just don't know what to try next.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 8:50 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

If you generated a CSR and they issued the certificate then I don't think you need to go through the whole thing again. I use LetEncrypt and have renewed multiple times using the same CSR so that has just been my experience. You can generate a new CSR every time if you want to. When I request a new certificate from Comodo, I used the same CSR as well. But, starting with a new CSR shouldn't be any different.....

I don't quite understand why your certificate is failing. If you had Comodo before, the CA for Comodo should be in the certificate store. You may want to open the bundle and then copy the certificate and paste it into https://www.sslshopper.com/certificate-decoder.html and see what it shows as the CA and the details of the certificate. SSLShopper has a bunch of tools to figure out what is going on with certificates. You can also check your CSR there. But, I doubt the issue is with the CSR because Comodo wouldn't have signed it otherwise. Maybe NameCheap as the intermediate is the issue and yes, use the entire bundle as your certificate to import.

Push come to shove, you can email NameCheap and explain the situation. They might let you re-generate the CSR and request a new cert. But, it just seems strange to me that you can't renew the certificate. Not a lot of moving parts to break here......

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/4/2019 5:32 PM, Jon Paris wrote:
And if they have already issued a cert that I can't use they will just re-issue?

And it may take seconds when you know what you are doing but ....


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 6:21 PM, B Stone <bvstone@xxxxxxxxx> wrote:

Takes literally seconds. Not a huge deal. :)

Namecheap will send you the cert, which you can export the CAs from. Of
course you need to do a little domain ownership verification first.


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #19 <https://www.bvstools.com/mailtool.html>: The ability
to turn off "Strict SSL" settings. This means no importing Certificate
Authorities (CAs) unless you want to.

On Tue, Jun 4, 2019 at 5:10 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

OK - so I guess to do that I have to start the whole CSR etc. bit again


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 4:28 PM, B Stone <bvstone@xxxxxxxxx> wrote:

John,

It's best to simply do a new CSR and import a new certificate (CAs first
of
course). Trying to renew using normal methods is a headache on the IBM
i.
So I just simply generate a new CSR each time.

On Tue, Jun 4, 2019 at 2:19 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx>
wrote:
So ....

I already have a cert applied but it is expiring.

Selected to renew it.

Chose to generate a new key pair.

Used the data to request the new key.

Got cert and attempted to apply. Keep getting a message that there is
no
such certificate in the store.


Question for those of you who understand all this. Could this be caused
because the new cert is not issued by the same authority as the previous
one? Original was from Comodo - new one from NameCheap - but the
underlying ceret is still from Comodo.

If that is the case, can I still use the certificate that I have for a
new
entry?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.