Brad

We are on V7R1M0 but we were doing this on V5R4M0 also. I don't recall ever seeing such an error message - although the error messages DCM gives you for certificate imports are never 100% accurate. They might as well say "I couldn't do that. I don't know why, but here is a guess...."

It doesn't make any sense anyway. Let's say you have purchased a certificate for your web facing windows servers from a well-known CA - and spent a shedload of money doing so. Then you decide to add an IBMi to your array of web facing servers. If the rule was that you have to have generated a certificate request from the IBMi in order to import the certificate, you would be stuffed. You'd have to buy a brand new certificate just for the IBMi things. It wouldn't surprise many if that was the case, but luckily it is not.

Here is an example of a customer in Germany who had a GeoTrust certificate long before they exposed an IBMi to the web. The certificate was later imported into DCM: https://portal.unitymedia.de without having to generate a request first.

Maybe there is something in the certificate contents that causes the error to which you allude or, more to the point, causes the check to be bypassed.

Cheers
Kevin




-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: 22 December 2013 21:20
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Self-Signed Certificates

Hi, Kevin.

I just tried with a couple server certificates I have for customers and always get:

"No request key is found for the certificate. If you are trying to receive the signed certificate, you must be using the same certificate store that was used when the certificate was requested. If this is a CA certificate, you should use the function for importing a CA."

Just as expected. So I'm not sure what you're doing different, or if you're on a different OS level (this is on V5R4 BTW).

Steps:
Start DCM
Select *SYSTEM Store
Expand All
Select Import Certificate
Select SERVER
Enter path

Brad


On Sun, Dec 22, 2013 at 10:52 AM, Kevin Turner < kevin.turner@xxxxxxxxxxxxxxxxxxxx> wrote:

Brad

I can 100% guarantee you do not need a matching request in DCM. I
have imported many server certificates into DCM and have never once
had he need to generate the initial request from DCM. The only trouble
I have had is when the CA chain is not already present (which that
forum post circumnavigated).

Kevin

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Bradley Stone
Sent: 22 December 2013 16:50
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Self-Signed Certificates

Kevin,

DCM has required a matching request when importing a certificate
(unless things have changed in newer OS releases.. which hopefully they have).
I've always just done things by the book.. I guess. :)

Your document explains how to import the CAs if required, but I didn't
see how you'd bypass the requirement DCM gives you of having a matching
request. There's not mention of the error you would get stating the
matching request is required.

I've actually never tried to bypass this requirement of DCM, and I'm
sure it is possible and would be required in some instances,
especially when using a wildcard certificate.

Brad



On Sun, Dec 22, 2013 at 10:21 AM, Kevin Turner <
kevin.turner@xxxxxxxxxxxxxxxxxxxx> wrote:

Sorry Brad, but that is not the case. You don't have to make the request
from DCM in order to be able to import it into DCM. For example, our
certificate covers several servers and domains, only one of which is
served from an IBMi. You can import any certificate from a trusted
CA into DCM regardless of where the request was created. What is
true is that DCM does not make it simple to do so - unlike Windows
for example. It can be a bit of a pain, but if you know what you
are doing you can do it. I went through the pain of importing a
GoDaddy certificate on our IBMi and documented the process here:

http://www.coraltreesystems.com/phpbb/viewtopic.php?f=4&t=1009&p=368
4&
hilit=godaddy#p3684




-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Bradley Stone
Sent: 22 December 2013 16:11
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Self-Signed Certificates

Just to note, that process isn't complete.

You have to make a request first using DCM that you give to the
certificate provider. Then when you get it you import it.

It won't let you import a certificate without a request.

Also, you may need to import the CA(s) used by the certificate into
your *SYSTEM store first as well.

So the sequence is more like this:

1. Create a server certificate request using DCM 2. Give that to
your Certificate source (they will ask for it).
3. Import the certificate. Possibly importing the CAs used by the
certificate first if required.


On Fri, Dec 20, 2013 at 2:06 PM, Rich Loeber <rich@xxxxxxxxx> wrote:

Perfect!

Thanks. This makes my day.

Hope you have a wonderful Christmas celebration!

Rich



------------------------------------------------------------------
--
--
----

On 12/20/2013 3:01 PM, Aaron Bartell wrote:

This is pretty good:
[1]
http://itquestions.com/questions/1155/how-to-install-a-digital-cer
ti
fi
cate-on-the-iserie.html

Aaron Bartell


On Fri, Dec 20, 2013 at 1:51 PM, Rich Loeber [2]<rich@xxxxxxxxx>
wrote:


Thanks Aaron .... is the installation process on the IBM i straight
forward?

Rich



------------------------------------------------------------------
--
--
----

On 12/20/2013 2:49 PM, Aaron Bartell wrote:

There are very inexpensive trusted certificates you can buy.
I've
bought
comodo in the past.

[1][3]https://comodosslstore.com/

Aaron Bartell


On Fri, Dec 20, 2013 at 1:46 PM, Rich Loeber
[2][4]<rich@xxxxxxxxx>
wrote:


I'm using an Apache server instance with HTTPS for an application
locally. I have secured it with a self-signed certificate that I
created
using DCM. The process works OK, but the first time a user
logs
into
the
site (we use FireFox here), they get a security warning that the
certificate is not from a trusted source. I know where the
certificate
came from, so I'm OK with this, but there are some users who
get
very
nervous when they see this exception message.

Is there any way around this issue without having to spend
money on
a
"trusted" certificate?

Rich Loeber - @richloeber
Kisco Information Systems
[1][3][5]http://www.kisco.com

References

Visible links
1. [4][6]http://www.kisco.com/
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: [[7]5]WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [6][8]http://lists.midrange.com/mailman/listinfo/web400
or email: [[9]7]WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [8][10]http://archive.midrange.com/web400.

References

Visible links
1. [11]https://comodosslstore.com/
2. [12]mailto:rich@xxxxxxxxx
3. [13]http://www.kisco.com/
4. [14]http://www.kisco.com/
5. [15]mailto:WEB400@xxxxxxxxxxxx
6. [16]http://lists.midrange.com/mailman/listinfo/web400
7. [17]mailto:WEB400-request@xxxxxxxxxxxx
8. [18]http://archive.midrange.com/web400
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: [19]WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [20]http://lists.midrange.com/mailman/listinfo/web400
or email: [21]WEB400-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
[22]http://archive.midrange.com/web400.

References

Visible links
1.

http://itquestions.com/questions/1155/how-to-install-a-digital-certi
fi
cate-on-the-iserie.html
2. mailto:rich@xxxxxxxxx
3. https://comodosslstore.com/
4. mailto:rich@xxxxxxxxx
5. http://www.kisco.com/
6. http://www.kisco.com/
7. mailto:5]WEB400@xxxxxxxxxxxx
8. http://lists.midrange.com/mailman/listinfo/web400
9. mailto:7]WEB400-request@xxxxxxxxxxxx
10. http://archive.midrange.com/web400
11. https://comodosslstore.com/
12. mailto:rich@xxxxxxxxx
13. http://www.kisco.com/
14. http://www.kisco.com/
15. mailto:WEB400@xxxxxxxxxxxx
16. http://lists.midrange.com/mailman/listinfo/web400
17. mailto:WEB400-request@xxxxxxxxxxxx
18. http://archive.midrange.com/web400
19. mailto:WEB400@xxxxxxxxxxxx
20. http://lists.midrange.com/mailman/listinfo/web400
21. mailto:WEB400-request@xxxxxxxxxxxx
22. http://archive.midrange.com/web400
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/web400.


NOTICE: The information in this electronic mail transmission is
intended by CoralTree Systems Ltd for the use of the named
individuals or entity to which it is directed and may contain
information that is privileged or otherwise confidential. If you
have received this electronic mail transmission in error, please
delete it from your system without copying or forwarding it, and
notify the sender of the error by reply email or by telephone, so
that the sender's address
records can be corrected.




--------------------------------------------------------------------
--
----------


CoralTree Systems Limited
Company Registration Number 5021022.
Registered Office:
12-14 Carlton Place
Southampton
Hampshire
SO15 2EA
VAT Registration Number 834 1020 74.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.


NOTICE: The information in this electronic mail transmission is
intended by CoralTree Systems Ltd for the use of the named individuals
or entity to which it is directed and may contain information that is
privileged or otherwise confidential. If you have received this
electronic mail transmission in error, please delete it from your
system without copying or forwarding it, and notify the sender of the
error by reply email or by telephone, so that the sender's address records can be corrected.




----------------------------------------------------------------------
----------


CoralTree Systems Limited
Company Registration Number 5021022.
Registered Office:
12-14 Carlton Place
Southampton
Hampshire
SO15 2EA
VAT Registration Number 834 1020 74.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at http://archive.midrange.com/web400.


NOTICE: The information in this electronic mail transmission is intended by CoralTree Systems Ltd for the use of the named individuals or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone, so that the sender's address records can be corrected.



--------------------------------------------------------------------------------


CoralTree Systems Limited
Company Registration Number 5021022.
Registered Office:
12-14 Carlton Place
Southampton
Hampshire
SO15 2EA
VAT Registration Number 834 1020 74.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.