|
On May 8, 2023, at 11:54 AM, Pete Helgren <pete@xxxxxxxxxx> wrote:
Brad/Jon,
I use LetsEncrypt but it really isn't any different that any other CA. The first time I tried to use LetsEncrypt, I had to install the CA root. It's a corner case for IBM since I am guessing they made sure that the CA Roots for common CA's (paid) were there. But IIRC, Tom Haze asked about and the last I looked, it was included with all the other CA Roots.
So let's back up a second. My assumption was that IBM provided a list of common CA Roots and Intermediates. But, at least here: https://www.ibm.com/docs/en/ssw_ibm_i_73/pdf/rzahupdf.pdf in the "What's new in 7.3" section, IBM specifically says it doesn't. Whether it persisted into 7.4 (no reference) or 7.5 (no reference) I don't know. However, on the Certificates page in DCM, filtering for "Certificate Authority", there is an option to "Populate with CA's" and the Root for LetsEncrypt is in there along with a list of many other CA's.
LetsEncrypt has this chain of trust:
Issued certificate (eg the domain you are securing) signed by R3, Let's Encrypt
Let’s Encrypt R3 signed by ISRG Root X1, Internet Security Research Group
ISRG Root X1 signed by DST Root CA X3, Digital Signature Trust Co.
ISRG Root X1 is cross signed so that might be why the DST Root CA X3 isn't present in DCM. I can tell you that all three certs, in the correct order, are in the .pem file that is imported into DCM. I have never needed to individually import the certs, just always pull in the whole thing.
It's possible that you are using a CA that is new to DCM and if so, you'd either need to use "Populate" option if it's in the list or manually import them. But it's a one-time thing. If you use the same CA, you only need to do that once and having all certs in the file that is imported after that point in time hasn't caused me any heartburn. But I like to keep things simple and cheap, so I reuse my CSR's and use LetsEncrypt as my CA. Like I said, been working for years.
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
On 5/8/2023 9:40 AM, Brad Stone wrote:
Well, he did say most of the CAs were already there, so maybe that's the--
case. I know the last certs I've imported the CAs were already there so no
importing of CAs required and the "bundle" imported just fine. :)
On Mon, May 8, 2023 at 9:27 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:
Agreed - in fact it errors out if you try.
But then I have no idea how Pete gets it to accept a bundle file in the
first place. It ust rejects it for me.
Jon P.
On May 7, 2023, at 10:34 PM, Brad Stone <bvstone@xxxxxxxxx> wrote:aren't
Using DCM? I've never been able to import a server cert if the CAs
already there.occasions.....
On Sun, May 7, 2023 at 7:43 PM Pete Helgren <pete@xxxxxxxxxx> wrote:
Interesting....I just import the bundle, remembering the "bundle" is the
cert plus the intermediates (three certs in my case). The LetsEncrypt
CA root is already present (most CA roots are already in DCM).
I always just use the same csr since it only needs to be created once,
unless your server key changes, or the key length is changed....most of
my csr's haven't changed in years.
The only place I got tripped up in the past when when I imported and
forgot to choose "Server or Client" and "Automatically renewed
certificate". But I have fully automated the LetsEncrypt renewals with
DCM now so I don't have to do a manual import except in rare
listPete Helgren--
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
On 5/7/2023 3:53 PM, Jon Paris wrote:
OK - I just used copy/paste to create the individual certs.--
Thanks for the help it is all working now.
Jon P.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx--
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
