1.  Home
  2. MIDRANGE-L
  3. December 2025

Re: Hunting for the thumbprint for a cert on my IBMi

Hello,

Am 20.12.2025 um 00:15 schrieb smith5646midrange@xxxxxxxxx:

I will look at this in more detail but we were trying to see the thumbprint on the in IBMi to be sure it was imported correctly.

Again, there is no "the" thumbprint. The checksum itself naturally depends on the checksum algorithm being used.

Remember I know nothing about certificates and he knows nothing about IBMi.

Maybe this is a good opportunity to actually learn some basics about asymmetric key cryptography, private and public key parts and the role of an entity digitally signing the public part of the key pair to prove the association of the public key to a given entity (person, domain name, etc.). :-)

On top of that are the storage mechanisms for the data itself, and the additional confusion inflicted by incorrectly naming things. Example: .crt files often contain one private key or one signed public key (=certificate) in PEM format. (The unsigned public key is called a certificate request.) There is a container format called PKCS#12 which is essentially an archive of public and private keys, and their associated intermediate certificates: It's perfectly allowed (and done in practice) that there is a chain of certificates each pointing to the next certificate who actually added the digital signature for proving the association of entities (see above). There is another format called DER (Distinguished Encoding Rules), which might also be an archive format, but I haven't real world exposure to this, yet.

OpenSSL has many subcommands for converting certificate into different storage formats.

Private keys and containers with private keys can be protected by a password. Sometimes, people say "certificate" and mean "private key", or a PKCS#12 bundle of both. In any case, it's crucial to understand that the private key is to be kept private.

Maybe this gives you a start and some keywords to search the net.

There is a good chance that I screwed up the import. 😊 Maybe the openssl in QSH will give me what we are after.

The OpenSSL command is acting upon the file before the import. I don't know how certificates are stored in IBM i. In addition, Java has its own certificate storage infrastructure. All in all, I feel it's done more complicated than it should be.

Thanks. I will let you know if I have additional questions.

I'll happily try to help!

:wq! PoC



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.