|
Hi Pete,
No, I'm retired. I was just curious because it seemed like quite a few steps Rob had to go through, then repeat for another 13 LPARs.
I have no idea how many shops have that many LPARs, or if the difficulty of implementing some automated version of those steps is worth it.
--
*Peter Dow* /
909 793-9050
petercdow@xxxxxxxxx
/
On 2/24/2026 9:25 AM, Pete Helgren wrote:
Peter, not sure if you are referring to automation to distribute the certs across LPAR's or automating the renewal or both but I happen to be working on a presentation for PowerUp in New Orleans this year and I have an application that uses LetsEncrypt to create the certificates and handles the DCM backend as well. I haven't released the app (it's Angular frontend with a Servlet backend) because I am still "tweaking" it before I release it. It's open source. Right now it can handle HTTP-01 requests and also DNS-01 requests with GoDaddy.
Rob is doing what is normally done to get third-party certificates into DCM. There are API's in DCM you could leverage for some of those steps, the kicker is getting the certificate from the 3rd party. LetsEncrypt uses the ACME framework to get the certificate and I know there are other CAs that support ACME as well. I don't know if DigiCert or Sectigo or other paid 3rd party CAs support ACME. Since certificate lives are getting shorter and shorter (it'll be 47 days by 2029) using an ACME client is going to be a requirement.
Other folks are probably using some of the scripted ACME clients, like CertBot, which are fine but aren't as tightly bound to DCM. That is the issue I am trying to solve, and nearly have: An end to end certificate renewal solution that is integrated with DCM.
Sorry for the "commercial"...if you can clarify what you are interested in automating, I might be able to help a bit.
Pete Helgren
www.petesworkshop.com
CISSP - MSCM
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
On 2/24/2026 11:06 AM, Peter Dow wrote:
Hi Rob,
Is it possible to automate any of that? Sounds like a lot of repetitious busy work, just the kind of thing computers should be good at.
--
*Peter Dow* /
909 793-9050
petercdow@xxxxxxxxx
/
On 2/24/2026 4:46 AM, Rob Berendt wrote:
I spent most of the day yesterday updating the certificates on 14 LPARs.
On one LPAR I generated the csr, I uploaded that to Digicert and pulled
down the file and used that in DCM. After assigning all the apps to it I
also assigned it to the ADMIN* servers.
Then I exported that pfx file, FTPd it to all the rest of the LPARs,
imported it and repeated the assignments.
Only had to open one case with IBM because one LPAR had issues.
I have this typed up, with images, into a Word document. Definitely not my
best work, but I can follow it. And just updated it.
On Mon, Feb 23, 2026 at 2:54 PM Pete Helgren<pete@xxxxxxxxxx> wrote:
If you don't have a CSR you'll need a pkcs12 format file (.p12 or .pfx)
that has the server private key. Since DCM didn't generate the CSR it
doesn't have the private key associated with it so you'll need the
server private key which is usually packaged up in a pkcs#12 file and
then import the file.
Pete Helgren
www.petesworkshop.com
CISSP - MSCM
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
On 2/21/2026 12:13 PM, Brad Stone wrote:
I don't think you can assign applications to a CA.. Just thecertificates.
I forget how you import a certificate without a CSR, but I know there's alist
way... I've done it once or twice in the past.
On Sat, Feb 21, 2026 at 11:30 AM Jim Oberholtzer <
midrangel@xxxxxxxxxxxxxxxxx> wrote:
Search and AI have failed to give me the answer. I have a certificated
created by the customer. I can import the CA just fine using DCM, but I
cannot assign any applications to it. No option to do so. So I have
missed a step somewhere.
I started out with a mycertificate.cer
Imports to *SYSTEM certificate store quickly and easily.
From there I cannot assign it to any applications.
What step am I missing?
--
Jim Oberholtzer
Agile Technology Architects
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
relatedTo post a message email:MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:https://lists.midrange.com/mailman/listinfo/midrange-l
or email:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
athttps://archive.midrange.com/midrange-l.
Please contactsupport@xxxxxxxxxxxxxxxxxxxx for any subscription
--questions.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email:MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:https://lists.midrange.com/mailman/listinfo/midrange-l
or email:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
athttps://archive.midrange.com/midrange-l.
Please contactsupport@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
