Re: Installing replacement certs -- WEB400

OK - I just used copy/paste to create the individual certs.

Thanks for the help it is all working now.

Jon P.

On May 7, 2023, at 4:33 PM, Brad Stone <bvstone@xxxxxxxxx> wrote:

You export the CAs from your certificate. Import them from the highest to
lowest, then import the CA. you can't do bundles, correct. That's why you
export the CAs one at a time from the certificate.

On Sun, May 7, 2023 at 2:27 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

There's no mention of a "bundle" there Brad that I can see and it talks to
exporting when I need to import the CAs.

I ended up going back into my notes and finally found what I needed. For
the sake of anyone who picks up this thread in future ...

The IBM DCM won't handle bundles. No idea why. You have to open the
bundle in a text editor and save off the individual certs contained within
it. In my case two files.

You then have to import them in the order of precedence. In my case the
second one had to be imported first, then the first in the bundle. Don't
know if that is standard. Once both had been imported I could import my own
cert and it all worked.

I realized that I had had part of this discussion last year on Midrange
and between what you said and the comments of the time plus my own notes it
all came together.

Sigh ... I long for the day when all this can really be better automated.
Or at least that a few of the cert issuers included IBM i in their
instructions.

Thanks to all - hopefully I'll remember all this next year!

Jon P.

On May 7, 2023, at 2:20 PM, Brad Stone <bvstone@xxxxxxxxx> wrote:

No, Jon. It's all there.

https://docs.bvstools.com/home/ssl-documentation/exporting-certificate-authorities-cas-from-a-website#exporting

Go to the section labeled "*Exporting Each Separate CA"*

On Sun, May 7, 2023 at 12:08 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx>

wrote:

Thanks Brad but it doesn't really help.

I had already done everything up to and including the import. But the
import will not complete because of missing CAs. I _thought_ they were

in

the .bundle file but I can find zero information on how to handle that

file

or indeed get the CAs any other way.

Jon P.

On May 6, 2023, at 5:02 PM, Brad Stone <bvstone@xxxxxxxxx> wrote:

Have DCM create the CSR.

Copy and paste the CSR into the site you're getting the certificate

from.

Once you have the cert, import it and assign it to your application.

You may need to also import a CA or two from the new cert if they're

not

there yet.

I have info here:
https://docs.bvstools.com/home/ssl-documentation

Article on this (needs to be updated to new DCM):

https://drive.google.com/file/d/1VxLX1ku7whPVIyetQLqpAYKE_VUFm4D_/view?usp=sharing

On Sat, May 6, 2023 at 11:17 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx>

wrote:

I thought I had written all this down but ...

My main cert is expiring in a couple of weeks so I set everything up

and

ordered the new certs. So far so good.

I have the .crt uploaded but cannot for the life of me remember how to
deploy the bundle so that I can activate the cert.

I have searched all over the IBM docs but cannot find anything useful.

I am using the new DCM which while much better than the old one is not
exactly intuitive.

Can someone point me to some simple documentation to take me through

this.

Jon P.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list

To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing

list

To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.