Follow up to the follow up!

Just decided to try a "clean" browser (new copy of Opera) and tried the site.

On the little "security globe" if I click it it says that the site is unsafe - but then goes on to tell me that the three certs in the tree are all valid - and gives me no hint why it isn't trusted.

Any ideas?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 5, 2019, at 11:07 AM, B Stone <bvstone@xxxxxxxxx> wrote:

If you're having issues exporting CAs from a certificate, check out this
link and the section on doing just that:

https://docs.bvstools.com/home/ssl-documentation

On Wed, Jun 5, 2019 at 9:28 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

Thanks for the link Pete - I was wondering how the heck to check.

There are two certs in the bundle and these are the details.

It would seem that the issue is that although some of the correspondence
said Comodo the cert is associated with their new name Sectigo.

So that explains why they are not active as a CA in the store - but that
doeswn'rt explain why the DCM errors out when I try to add them as a CA.

I understand the basics behind all this - but surely IBM could make it
easier than this!

Just don't know what to try next.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 8:50 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

If you generated a CSR and they issued the certificate then I don't
think you need to go through the whole thing again. I use LetEncrypt and
have renewed multiple times using the same CSR so that has just been my
experience. You can generate a new CSR every time if you want to. When I
request a new certificate from Comodo, I used the same CSR as well. But,
starting with a new CSR shouldn't be any different.....

I don't quite understand why your certificate is failing. If you had
Comodo before, the CA for Comodo should be in the certificate store. You
may want to open the bundle and then copy the certificate and paste it into
https://www.sslshopper.com/certificate-decoder.html and see what it shows
as the CA and the details of the certificate. SSLShopper has a bunch of
tools to figure out what is going on with certificates. You can also check
your CSR there. But, I doubt the issue is with the CSR because Comodo
wouldn't have signed it otherwise. Maybe NameCheap as the intermediate is
the issue and yes, use the entire bundle as your certificate to import.

Push come to shove, you can email NameCheap and explain the situation.
They might let you re-generate the CSR and request a new cert. But, it
just seems strange to me that you can't renew the certificate. Not a lot
of moving parts to break here......

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/4/2019 5:32 PM, Jon Paris wrote:
And if they have already issued a cert that I can't use they will just
re-issue?

And it may take seconds when you know what you are doing but ....


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 6:21 PM, B Stone <bvstone@xxxxxxxxx> wrote:

Takes literally seconds. Not a huge deal. :)

Namecheap will send you the cert, which you can export the CAs from.
Of
course you need to do a little domain ownership verification first.


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #19 <https://www.bvstools.com/mailtool.html>: The
ability
to turn off "Strict SSL" settings. This means no importing Certificate
Authorities (CAs) unless you want to.

On Tue, Jun 4, 2019 at 5:10 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx>
wrote:

OK - so I guess to do that I have to start the whole CSR etc. bit
again


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 4:28 PM, B Stone <bvstone@xxxxxxxxx> wrote:

John,

It's best to simply do a new CSR and import a new certificate (CAs
first
of
course). Trying to renew using normal methods is a headache on the
IBM
i.
So I just simply generate a new CSR each time.

On Tue, Jun 4, 2019 at 2:19 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx>
wrote:
So ....

I already have a cert applied but it is expiring.

Selected to renew it.

Chose to generate a new key pair.

Used the data to request the new key.

Got cert and attempted to apply. Keep getting a message that there
is
no
such certificate in the store.


Question for those of you who understand all this. Could this be
caused
because the new cert is not issued by the same authority as the
previous
one? Original was from Comodo - new one from NameCheap - but the
underlying ceret is still from Comodo.

If that is the case, can I still use the certificate that I have
for a
new
entry?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.