I am pretty sure you can export the CAs from the cert itself. Wildcard may
be a little different. But I bet you had one or two of the same CAs on
your system already that were expired.

There is a section in this document explaining that:
https://docs.bvstools.com/home/ssl-documentation/exporting-certificate-authorities-cas-from-a-website

On Wed, Mar 30, 2022 at 3:27 PM Tom Hightower <tomh@xxxxxxxxxxx> wrote:

I've been trying to assign a .pfx certificate (*.thedomain.com) to the
FTP server and to a web server on the same IBM i (it will be serving a
website). That same certificate is used on various Windows servers, and
another IBM i (which is being deprecated). I have the .pfx imported to the
new IBM i but (was) unable to assign it to the FTP server or to the web
server. I have two expired CA certificates on the new IBM i which (I'm
guessing) need to be updated/deleted.

The network guys gave me another CA certificate (USERTrustRSAAAACA.crt,
which I've imported; not sure where it came from); now I can assign the
.pfx certificate to the FTP and web server.

TomH

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Williams via MIDRANGE-L
Sent: Tuesday, March 29, 2022 11:41 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Cc: Rob Williams <qpgmr400@xxxxxxxxxxxxxxx>
Subject: Re: having trouble assigning certificate to app

Tom,

In your original post you said "I have a multi-server certificate that I'm
trying to assign to a web server on the i." Are you really trying to
install a server certificate? Or just a CA Certificate?

Will the IBM I be the web server or will the IBM I be consuming a web
service on another server?

From what I read if you're trying to install a Server Certificate, there
should also be a .key file that goes along with the .crt file. The .key
file is the private key and would be required for a Server Certificate.

If the Network Team only gave you the .crt file, my guess is they are not
asking you to install a Server Certificate. It sounds unusual to install
the same server certificate on multiple systems. (especially different
platform like Windows and IBM i)

I think it would be best to confirm the type of certificate you are trying
to install before any more troubleshooting on the IBM i.

I would also ask the Network Team for the entire certificate chain (ca and
root) with each certificate in a separate file and in a .cer format. This
would be extremely helpful regardless of the answer to the above question.

Rob

------------------------------

message: 3
date: Tue, 29 Mar 2022 22:08:09 +0000
from: Tom Hightower <tomh@xxxxxxxxxxx>
subject: RE: having trouble assigning certificate to app

That could be, I have these two expired:

-USERTrustRSAAddTrustCA.crt expired 5/30/2020 -AddTrustExternalCARoot.crt
expired 5/30/2020

Apparently those have been on our various AS400 -> i systems for *years*.

I'll check with network guys to see if they can provide updated
certificates. If they don't have them, is there somewhere they can be
downloaded?

TomH

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Williams via MIDRANGE-L
Sent: Tuesday, March 29, 2022 9:50 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Cc: Rob Williams <qpgmr400@xxxxxxxxxxxxxxx>
Subject: RE: having trouble assigning certificate to app

I have seen that exact message and situation once before and the cause was
one of the CA Certificates (or Root Certificate) in the chain had expired.

You can use the following query to view the certificates in your
certificate store.

SELECT CERTIFICATE_LABEL as CERT_LABEL,
VALIDITY_START, VALIDITY_END,
SUBJECT_COMMON_NAME as SUBJECT_CN,
ISSUER_COMMON_NAME as ISSUER_CN
FROM TABLE(QSYS2.CERTIFICATE_INFO(CERTIFICATE_STORE_PASSWORD=>
'*NOPWD'))

Rob

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fmidrange-l&amp;data=04%7C01%7Ctomh%40idocket.com%7C351a6fd6e2ec46c7c4a508da12077919%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C637842120604372933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=tIlWMSJ4v%2BJQHrhng%2F3Mzc7Kdz6RtyYtYrHeofQJw9s%3D&amp;reserved=0
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fmidrange-l&amp;data=04%7C01%7Ctomh%40idocket.com%7C351a6fd6e2ec46c7c4a508da12077919%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C637842120604372933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=%2B%2B%2BK8GMtjo%2F6BFsmOu6Wg9x22Rc%2FodNzLIk0JQRWiGs%3D&amp;reserved=0
.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Famazon.midrange.com%2F&amp;data=04%7C01%7Ctomh%40idocket.com%7C351a6fd6e2ec46c7c4a508da12077919%7Ccfcc5bb848014360aa721ecceeb7d0b3%7C0%7C0%7C637842120604372933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=97IwMmxgl9rh7BqGJvdvF81rzkmzTQg0Rl3avyetE0I%3D&amp;reserved=0
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.