× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. June 2019

Re: Wrestling with SSL Cert

If I go to https://systemideveloper.com then chrome says the site is secure, and lists the cert as being issued by Sectigo RSA. If I just go to systemideveloper.com then I get a plain http page that isn't marked as secure.

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Jon Paris
Sent: Wednesday, June 05, 2019 11:11 AM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Wrestling with SSL Cert

Follow up to the follow up!

Just decided to try a "clean" browser (new copy of Opera) and tried the site.

On the little "security globe" if I click it it says that the site is unsafe - but then goes on to tell me that the three certs in the tree are all valid - and gives me no hint why it isn't trusted.

Any ideas?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 5, 2019, at 11:07 AM, B Stone <bvstone@xxxxxxxxx> wrote:

If you're having issues exporting CAs from a certificate, check out
this link and the section on doing just that:

https://docs.bvstools.com/home/ssl-documentation

On Wed, Jun 5, 2019 at 9:28 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

Thanks for the link Pete - I was wondering how the heck to check.

There are two certs in the bundle and these are the details.

It would seem that the issue is that although some of the
correspondence said Comodo the cert is associated with their new name Sectigo.

So that explains why they are not active as a CA in the store - but
that doeswn'rt explain why the DCM errors out when I try to add them as a CA.

I understand the basics behind all this - but surely IBM could make
it easier than this!

Just don't know what to try next.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 8:50 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

If you generated a CSR and they issued the certificate then I don't
think you need to go through the whole thing again. I use LetEncrypt
and have renewed multiple times using the same CSR so that has just
been my experience. You can generate a new CSR every time if you
want to. When I request a new certificate from Comodo, I used the
same CSR as well. But, starting with a new CSR shouldn't be any different.....

I don't quite understand why your certificate is failing. If you
had
Comodo before, the CA for Comodo should be in the certificate store.
You may want to open the bundle and then copy the certificate and
paste it into https://www.sslshopper.com/certificate-decoder.html and
see what it shows as the CA and the details of the certificate.
SSLShopper has a bunch of tools to figure out what is going on with
certificates. You can also check your CSR there. But, I doubt the
issue is with the CSR because Comodo wouldn't have signed it
otherwise. Maybe NameCheap as the intermediate is the issue and yes, use the entire bundle as your certificate to import.

Push come to shove, you can email NameCheap and explain the situation.
They might let you re-generate the CSR and request a new cert. But,
it just seems strange to me that you can't renew the certificate.
Not a lot of moving parts to break here......

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java Twitter - Sys_i_Geek
IBM_i_Geek

On 6/4/2019 5:32 PM, Jon Paris wrote:
And if they have already issued a cert that I can't use they will
just
re-issue?

And it may take seconds when you know what you are doing but ....


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 6:21 PM, B Stone <bvstone@xxxxxxxxx> wrote:

Takes literally seconds. Not a huge deal. :)

Namecheap will send you the cert, which you can export the CAs from.
Of
course you need to do a little domain ownership verification first.


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #19 <https://www.bvstools.com/mailtool.html>: The
ability
to turn off "Strict SSL" settings. This means no importing
Certificate Authorities (CAs) unless you want to.

On Tue, Jun 4, 2019 at 5:10 PM Jon Paris
<jon.paris@xxxxxxxxxxxxxx>
wrote:

OK - so I guess to do that I have to start the whole CSR etc. bit
again


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 4:28 PM, B Stone <bvstone@xxxxxxxxx> wrote:

John,

It's best to simply do a new CSR and import a new certificate
(CAs
first
of
course). Trying to renew using normal methods is a headache on
the
IBM
i.
So I just simply generate a new CSR each time.

On Tue, Jun 4, 2019 at 2:19 PM Jon Paris
<jon.paris@xxxxxxxxxxxxxx>
wrote:
So ....

I already have a cert applied but it is expiring.

Selected to renew it.

Chose to generate a new key pair.

Used the data to request the new key.

Got cert and attempted to apply. Keep getting a message that
there
is
no
such certificate in the store.


Question for those of you who understand all this. Could this
be
caused
because the new cert is not issued by the same authority as the
previous
one? Original was from Comodo - new one from NameCheap - but
the underlying ceret is still from Comodo.

If that is the case, can I still use the certificate that I
have
for a
new
entry?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

--
This is the Web Enabling the IBM i (AS/400 and iSeries)
(WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting,
please take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting,
please take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting,
please take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/web400.



[https://www.medtronsoftware.com/img/MedtronMinilogo.bmp] Kevin Bucknum
Senior Programmer Analyst
MEDDATA / MEDTRON
120 Innwood Drive
Covington LA 70433
Local: 985-893-2550
Toll Free: 877-893-2550
https://www.medtronsoftware.com



CONFIDENTIALITY NOTICE

This document and any accompanying this email transmission contain confidential information, belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, or the employee of agent responsible to deliver it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or action taken in reliance on the contents of these documents is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately to arrange for return or destruction of these documents.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.