You got it. You already imported the CAs required. So you didn't really
import the whole bundle and automatically import CAs at the same time.
They were already there so importing the Cert went smoooooooth. :)

IBM tries to include basic CAs, yes. But not always. Things change quick
in that regard.

On Mon, May 8, 2023 at 10:55 AM Pete Helgren <pete@xxxxxxxxxx> wrote:

Brad/Jon,

I use LetsEncrypt but it really isn't any different that any other CA.
The first time I tried to use LetsEncrypt, I had to install the CA
root. It's a corner case for IBM since I am guessing they made sure
that the CA Roots for common CA's (paid) were there. But IIRC, Tom Haze
asked about and the last I looked, it was included with all the other CA
Roots.

So let's back up a second. My assumption was that IBM provided a list
of common CA Roots and Intermediates. But, at least here:
https://www.ibm.com/docs/en/ssw_ibm_i_73/pdf/rzahupdf.pdf in the
"What's new in 7.3" section, IBM specifically says it doesn't. Whether
it persisted into 7.4 (no reference) or 7.5 (no reference) I don't
know. However, on the Certificates page in DCM, filtering for
"Certificate Authority", there is an option to "Populate with CA's" and
the Root for LetsEncrypt is in there along with a list of many other CA's.

LetsEncrypt has this chain of trust:

Issued certificate (eg the domain you are securing) signed by R3, Let's
Encrypt
Let’s Encrypt R3 signed by ISRG Root X1, Internet Security Research Group
ISRG Root X1 signed by DST Root CA X3, Digital Signature Trust Co.

ISRG Root X1 is cross signed so that might be why the DST Root CA X3
isn't present in DCM. I can tell you that all three certs, in the
correct order, are in the .pem file that is imported into DCM. I have
never needed to individually import the certs, just always pull in the
whole thing.

It's possible that you are using a CA that is new to DCM and if so,
you'd either need to use "Populate" option if it's in the list or
manually import them. But it's a one-time thing. If you use the same
CA, you only need to do that once and having all certs in the file that
is imported after that point in time hasn't caused me any heartburn.
But I like to keep things simple and cheap, so I reuse my CSR's and use
LetsEncrypt as my CA. Like I said, been working for years.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals

On 5/8/2023 9:40 AM, Brad Stone wrote:
Well, he did say most of the CAs were already there, so maybe that's the
case. I know the last certs I've imported the CAs were already there so
no
importing of CAs required and the "bundle" imported just fine. :)



On Mon, May 8, 2023 at 9:27 AM Jon Paris <jon.paris@xxxxxxxxxxxxxx>
wrote:

Agreed - in fact it errors out if you try.

But then I have no idea how Pete gets it to accept a bundle file in the
first place. It ust rejects it for me.


Jon P.

On May 7, 2023, at 10:34 PM, Brad Stone <bvstone@xxxxxxxxx> wrote:

Using DCM? I've never been able to import a server cert if the CAs
aren't
already there.

On Sun, May 7, 2023 at 7:43 PM Pete Helgren <pete@xxxxxxxxxx> wrote:

Interesting....I just import the bundle, remembering the "bundle" is
the
cert plus the intermediates (three certs in my case). The LetsEncrypt
CA root is already present (most CA roots are already in DCM).

I always just use the same csr since it only needs to be created once,
unless your server key changes, or the key length is changed....most
of
my csr's haven't changed in years.

The only place I got tripped up in the past when when I imported and
forgot to choose "Server or Client" and "Automatically renewed
certificate". But I have fully automated the LetsEncrypt renewals
with
DCM now so I don't have to do a manual import except in rare
occasions.....
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals

On 5/7/2023 3:53 PM, Jon Paris wrote:
OK - I just used copy/paste to create the individual certs.

Thanks for the help it is all working now.


Jon P.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.