Well thanks to your earlier help with viewing the contents Pete and comments from Larry about having to install the upstream CA as well I decided to try splitting the bundle into two files and installing them separately as CAs. That worked and ... YIPEEE - both imported and subsequently so did the certificates.

Sadly that is the end of the good news!

I assigned the apps that used the old certs to the new ones - all went fine but ... despite stopping and starting the servers I'm still not seeing a secure connection. What else am I missing?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 5, 2019, at 11:33 AM, Pete Helgren <pete@xxxxxxxxxx> wrote:

So, I went ahead and imported the AddTrust Root CA (AddTrustExternalCARoot.crt) and also the Comodo Root CA (COMODOCertificationAuthority.crt) and both are now available as CA's in the certificate store. The question now would be if a certificate generated by NameCheap would import successfully.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/5/2019 10:06 AM, Pete Helgren wrote:
The AddTrust External CA Root is available in the list I sent earlier. So download the crt file and try importing it. Maybe it needs that as part of the certificate chain before you can import the bundle you received....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/5/2019 9:57 AM, Jon Paris wrote:
This is what shows for the certs Pete. First is the single crt file. Next two are from the bundle. I see no reference to Comodo here despite what some of the emails said. The certs are for Sectigo and UserTrust

Common Name: systemideveloper.com
Subject Alternative Names: systemideveloper.com, www.systemideveloper.com
Organization: System i Developer LLC
Organization Unit: InstantSSL
Locality: Peterborough
State: New Hampshire
Country: US
Valid From: June 3, 2019
Valid To: June 3, 2021
Issuer: Sectigo RSA Organization Validation Secure Server CA, Sectigo Limited Write review of Sectigo

Bundle

First entry

Common Name: Sectigo RSA Organization Validation Secure Server CA
Organization: Sectigo Limited
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: November 1, 2018
Valid To: December 31, 2030
Issuer: USERTrust RSA Certification Authority, The USERTRUST Network


Second entry

Common Name: USERTrust RSA Certification Authority
Organization: The USERTRUST Network
Locality: Jersey City
State: New Jersey
Country: US
Valid From: May 30, 2000
Valid To: May 30, 2020
Issuer: AddTrust External CA Root, AddTrust AB
Serial Number: 13ea28705bf4eced0c36630980614336
Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 5, 2019, at 10:50 AM, Pete Helgren <pete@xxxxxxxxxx> wrote:

Hmmm...what is the error you receive? When I looked up Sectigo's root CA it points to Comodo (here: https://sectigo.com/resources/sectigo-root-intermediate-certificate-files ) You may have already checked these DCM resources: https://www-01.ibm.com/support/docview.wss?uid=nas8N1012543 and https://www-01.ibm.com/support/docview.wss?uid=nas8N1011678 but I am still flummoxed by the difficulty you are having. If you have a valid Comodo CA and the cert was issued by Comodo, DCM shouldn't be complaining.

I am not sure where else to go to look for more detailed messages when a certificate import fails....don't know if a Job log for the DCM job would have more info....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/5/2019 9:28 AM, Jon Paris wrote:
Thanks for the link Pete - I was wondering how the heck to check.

There are two certs in the bundle and these are the details.

It would seem that the issue is that although some of the correspondence said Comodo the cert is associated with their new name Sectigo.

So that explains why they are not active as a CA in the store - but that doeswn'rt explain why the DCM errors out when I try to add them as a CA.

I understand the basics behind all this - but surely IBM could make it easier than this!

Just don't know what to try next.
Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 8:50 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

If you generated a CSR and they issued the certificate then I don't think you need to go through the whole thing again. I use LetEncrypt and have renewed multiple times using the same CSR so that has just been my experience. You can generate a new CSR every time if you want to. When I request a new certificate from Comodo, I used the same CSR as well. But, starting with a new CSR shouldn't be any different.....

I don't quite understand why your certificate is failing. If you had Comodo before, the CA for Comodo should be in the certificate store. You may want to open the bundle and then copy the certificate and paste it into https://www.sslshopper.com/certificate-decoder.html and see what it shows as the CA and the details of the certificate. SSLShopper has a bunch of tools to figure out what is going on with certificates. You can also check your CSR there. But, I doubt the issue is with the CSR because Comodo wouldn't have signed it otherwise. Maybe NameCheap as the intermediate is the issue and yes, use the entire bundle as your certificate to import.

Push come to shove, you can email NameCheap and explain the situation. They might let you re-generate the CSR and request a new cert. But, it just seems strange to me that you can't renew the certificate. Not a lot of moving parts to break here......

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 6/4/2019 5:32 PM, Jon Paris wrote:
And if they have already issued a cert that I can't use they will just re-issue?

And it may take seconds when you know what you are doing but ....


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 6:21 PM, B Stone <bvstone@xxxxxxxxx> wrote:

Takes literally seconds. Not a huge deal. :)

Namecheap will send you the cert, which you can export the CAs from. Of
course you need to do a little domain ownership verification first.


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #19 <https://www.bvstools.com/mailtool.html>: The ability
to turn off "Strict SSL" settings. This means no importing Certificate
Authorities (CAs) unless you want to.

On Tue, Jun 4, 2019 at 5:10 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx> wrote:

OK - so I guess to do that I have to start the whole CSR etc. bit again


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Jun 4, 2019, at 4:28 PM, B Stone <bvstone@xxxxxxxxx> wrote:

John,

It's best to simply do a new CSR and import a new certificate (CAs first
of
course). Trying to renew using normal methods is a headache on the IBM
i.
So I just simply generate a new CSR each time.

On Tue, Jun 4, 2019 at 2:19 PM Jon Paris <jon.paris@xxxxxxxxxxxxxx>
wrote:
So ....

I already have a cert applied but it is expiring.

Selected to renew it.

Chose to generate a new key pair.

Used the data to request the new key.

Got cert and attempted to apply. Keep getting a message that there is
no
such certificate in the store.


Question for those of you who understand all this. Could this be caused
because the new cert is not issued by the same authority as the previous
one? Original was from Comodo - new one from NameCheap - but the
underlying ceret is still from Comodo.

If that is the case, can I still use the certificate that I have for a
new
entry?


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.