Probably need to clarify what the bundle is being used for.  I always install the bundle as-is when I install or renew the certificate.  But, it may be that the bundle is being misused when it comes to importing a new CA certificate. I can't remember how I installed the LetsEncrypt CA certificate a few years back.  But it was a one-time thing and I probably just downloaded the CA cert itself and installed it. But I always use the bundle for the SSL certificate when it is renewed by LetEncrypt and it hasn't caused me any heartburn.

Having the DCM parse the certificate bundle and find the CA cert, and the intermediate certificate (if needed), when installing the new CA would be a plus, but you only need to do that once.  Or, are you advocating for a "one stop shopping" experience so you can just import the bundle and if it needs the CA and intermediate certificates to be imported at the same time, to then install the CA and intermediates as well if they don't already exist?

Jon's issue was that he was using a CA that DCM didn't recognize so he needed the CA certificate and the intermediate in order to import the SSL certificate.  But, when he renews, he shouldn't have to install a CA certificate unless the CA is bought and sold again....

Pete Helgren
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/6/2019 4:08 PM, Mark Waterbury wrote:
Hi, Jon, and Brad, ...

I have been following this thread with great interest.

Someone really should open an RFE to get IBM to "fix" the DCM so that it can recognize those "bundle" files.

I think EVERYONE will vote for THAT RFE!  :D

Just saying ...

All the best,

Mark S. Waterbury

On Thursday, June 6, 2019, 4:43:06 PM EDT, Jon Paris <> wrote:
I think it could use a small update Brad for two reasons.  It comes right at the end and frankly I never saw it.  Secondly in my case I would still have had an error as the bundle had the in the opposite order. i.e. I needed to import that last one first.  The note also doesn't mention that there may be more than one cert in the file and they need splitting up.  The earlier parts I did find very useful.

And Filezilla is way easier than manual FTP <grin>

Jon Paris

On Jun 6, 2019, at 9:07 AM, B Stone <bvstone@xxxxxxxxx> wrote:

On Thu, Jun 6, 2019 at 7:39 AM Jon Paris <> wrote:

The answer was simply to copy/paste the individual cert text into separate
files - one for each CA and apply those  in the correct order. i.e. Sectigo
last.lla is way easier than manual FTP <grin>

Yes, the SSL docs that I pointed to should have shown that.  If not, I need
to update it.  :)  You need to import from top to bottom in that order.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.