Renew SSL Cert on IBM i using the Digital Certificate Manager

Two weeks ago our SSL certificate expired. This was the first time that I had to take a renewed certificate and apply it to our machines. Today I am going to cover the steps I took to apply the SSL cert on our IBM i OS/400 box and the issues I encountered. We use a wildcard SSL certificate which is nice but requires multiple version of the certificate so that you can apply them to different machines. I tried a .pfx SSL cert first but I discovered that I needed the SSL certs in X509 format in order to import them to our IBM i; then I could import the .pfx SSL cert.

NOTE: There might be other methods of doing this but this is the method I used

If you have never done this before don’t worry it wasn’t that challenging just required stepping through a few things to get it in place. IBM provides some valuable steps and documentation for some of the things I am going to show you. How to connect to the DCM and setup SSL can be found here: Configuring an IBM i host for SSL.

First we need to connect to the Digital Certificate Manager (DCM). According to the link above connecting to the DCM requires entering http://[your_isystem]:2001 into a browser. I did this and I was redirected to a different URL: https://[your_isystem]:[port]/ibm/console. From here, the welcome screen, I clicked IBM i Tasks Page (which was on the right hand side of the window for me). From there I clicked Digital Certificate Manager.

Next click Select a Certificate Store. Select *SYSTEM. Enter the password and click Continue.

On the left hand side, where the menus are, click to expand Manage Certificates then click Import Certificate (since I already had the certificate from my IIS server all I needed to do was import it). Next select Server or client and click Continue.

NOTE: Make sure you copy the SSL certificates to your IBM i box first and record the path where they are saved.

When I clicked continue I received this error:

Here is a link with more information on the asn.1 error: asn.1 encoding and decoding error

I didn’t know what was wrong. If I did something wrong, if the key was invalid, if the system couldn’t read the file. I tried keys with different extensions, I read in IBMs article for adding SSL that you have to be sure to FTP the files is ASCII and not binary mode – so I checked that; but nothing worked. I could see the text of the SSL cert using the WRKLNK command but it wouldn’t import.

Turns out that since GeoTrust slightly changed the CAs listed under the cert I had to import the Root CA, CA Bundle, and Intermediate CAs to ensure that all of the Certificate Authorities were listed before I could import my wildcard SSL certificate. This might be common practice but since it was my first time I didn’t know this.

The steps to accomplish this are:

      1. Click Import Certificate under the Manage Certificates menu again. This time select Certificate Authority (CA) and click Continue.
      2. Type the path to the SSL X509 Format cert (I believe it should end in .pem) and click Continue.
      3. Enter the CA certificate label (this must be unique) and click Continue.
      4. Continue until all .pem certs have been imported

NOTE: If you already have the certificate in your store you will receive this error. Don’t worry just click OK and move on to the next .pem cert.
Once you have completed the CA import process go back to the Import Certificate screen one more time. Follow these steps:

      1. Click Import Certificate under the Manage Certificates menu again. This time select Server or client and click Continue.
      2. Type the path to the SSL .pfx cert and click Continue.
      3. Enter the password that was assigned to the cert when created and enter CA certificate label (this must be unique) and click Continue.
      4. Now you can assign applications to the certificate.

If it doesn’t prompt you to Assign to Applications when you import the certificate go to Manage Certificates again and select Assign certificate. Select the certificate that you just imported and click Assign to Applications. Put a check mark next to all of the applications that you want to assign the cert to and click Continue.
Congratulations! You have completely the process to update the SSL certificates on your IBM i.