Part of my issues could have been solved by simple changes to the documentation. Nowhere that I saw did it ever mention the notion that there might be more than one certificate involved. Nor anywhere in IBM's docs did it ever suggest to use a URL such as the one Pete gave me that allows you to view thew content on the certificate file. Until I saw "inside" the bundle and found the two different certs it never occurred to me that this might be the case. Despite having probably a better than average idea of what certs etc. were all about, I was not technically literate on the mechanics and details such as intermediate certs so never thought of that as a potential issue.

I think the problem in part, as with much of IBM's docs in this and the Open Source area, is that they are fine if you already know the answers and potential questions. If you don't, they only work if you have the most straightforward of situations and don't encounter any errors. Lord help you if you have an error because there are no explanations and no indication as to what logs might contain helpful information.

In my particular scenario, the situation was complicated by the fact that we had previously used Comodo, and although it occurred to me that their name change meant that the root Comodo cert was probably not of any use, it would never have occurred to me to consider that they had also changed the intermediate cert that they used. Only seeing it via "Pete's viewer" was I able to spot that neither name appeared in my CA list.

I might follow up on Mark's suggestion re an RFE if for no other reason than to suggest that IBM could at least report that they found more than one cert in the file and can't handle it - rather than just give a meaningless error message as they do now.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 6, 2019, at 5:22 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

Probably need to clarify what the bundle is being used for. I always install the bundle as-is when I install or renew the certificate. But, it may be that the bundle is being misused when it comes to importing a new CA certificate. I can't remember how I installed the LetsEncrypt CA certificate a few years back. But it was a one-time thing and I probably just downloaded the CA cert itself and installed it. But I always use the bundle for the SSL certificate when it is renewed by LetEncrypt and it hasn't caused me any heartburn.

Having the DCM parse the certificate bundle and find the CA cert, and the intermediate certificate (if needed), when installing the new CA would be a plus, but you only need to do that once. Or, are you advocating for a "one stop shopping" experience so you can just import the bundle and if it needs the CA and intermediate certificates to be imported at the same time, to then install the CA and intermediates as well if they don't already exist?

Jon's issue was that he was using a CA that DCM didn't recognize so he needed the CA certificate and the intermediate in order to import the SSL certificate. But, when he renews, he shouldn't have to install a CA certificate unless the CA is bought and sold again....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/6/2019 4:08 PM, Mark Waterbury wrote:
Hi, Jon, and Brad, ...

I have been following this thread with great interest.

Someone really should open an RFE to get IBM to "fix" the DCM so that it can recognize those "bundle" files.

I think EVERYONE will vote for THAT RFE! :D


Just saying ...

All the best,

Mark S. Waterbury

On Thursday, June 6, 2019, 4:43:06 PM EDT, Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:
I think it could use a small update Brad for two reasons. It comes right at the end and frankly I never saw it. Secondly in my case I would still have had an error as the bundle had the in the opposite order. i.e. I needed to import that last one first. The note also doesn't mention that there may be more than one cert in the file and they need splitting up. The earlier parts I did find very useful.

And Filezilla is way easier than manual FTP <grin>

Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 6, 2019, at 9:07 AM, B Stone <bvstone@xxxxxxxxx> wrote:

On Thu, Jun 6, 2019 at 7:39 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

The answer was simply to copy/paste the individual cert text into separate
files - one for each CA and apply those in the correct order. i.e. Sectigo
last.lla is way easier than manual FTP <grin>

Yes, the SSL docs that I pointed to should have shown that. If not, I need
to update it. :) You need to import from top to bottom in that order.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.