How Do I Load This Digital Certificate On My IBM i Machine?
April 17, 2013 Hey, Joe
A banking client is requiring us to load a Verisign Class Secure Server CA – G3 certificate authority (CA) certificate on my IBM i box. But when I try to load it into Digital Certificate Manager (DCM), DCM gives me this error: “An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled.” What’s going on? –WC
This is a fairly common problem and it has an easy solution. The certificate won’t load because in addition to loading the bank’s Verisign Class Secure Server CA – G3 certificate into your IBM i certificate store, you must also load the Verisign CA certificate that originally issued your Secure Server CA – G3 certificate. This is the “…issuer of the certificate may not be in the certificate store…” part of your error message. Simply put, you have to load two certificates to get the certificate you want on your machine:
On a Windows box, you could just load a Verisign Root Package that contains all the parent and child certificates you would want to use. On an IBM i box, there isn’t any root package that I know of, and you sometimes need to track down and load the issuing CA certificate before you can load the certificate you need. Here’s how to approach the process. Determine Which Certificate You Need To Load A digital certificate is really just a text file. To get information on a certificate file in Windows, make sure that the extension on the Secure Server CA – G3 text file is .cer. So if your digital certificate file name is Verisign secure server CA – G3, change the file name to be Verisign secure server CA – G3.cer. To get the “issued by” name for your certificate in Windows 7, simply double-click on the .cer file name and you’ll see a certificate properties screen appear that looks something like this. Click on the General tab in the certificate window and you’ll see the name of the certificate authority that issued the certificate (the “issued by” name). In this case, the issuing authority is Verisign Class 3 Public Private Certification Authority – G5. Save that name. Download The Issuing CA Certificate The next step is to download the issuing CA certificate file to an IBM i Integrated File System (IFS) folder where it can be uploaded to the Digital Certificate Manager. For Verisign, you can get that certificate from the Verisign Download Primary PCA Root Certificates website. The Verisign download site will look something like this. (Click graphic to enlarge.) Scroll down to the issuing certificate that you want to download (Verisign Class 3 Primary CA – G5, in your case). You’ll see a link under the certificate description that says Download Root Now. Your screen will look something like this. (Click graphic to enlarge.) Right click on the Download Root Now link for your certificate and select Save As or Save Target As from the pop-up menu that appears. It’s important that you right-click on the link to save the certificate file. Don’t double-click to open up the certificate and copy its contents to a text file. That may not work correctly. Use the Save As or Save Target As option to download your certificate file. If you can, save the issuing certificate file name with an extension of .cer to an upload folder on your IBM i IFS. If you can’t save the .cer file directly to your IFS folder, save it to your PC and then upload it to the target IFS folder later. Digital certificate files must be uploaded into an IBM i certificate store from the partition’s Integrated File System. Loading The Certificates To Your IBM i Digital Certificate Manager Once you have both CA certificates (the Verisign Secure Server CA – GE certificate and the issuing Verisign Class 3 Primary CA – G5 certificate), it’s a simple matter to upload them to your IBM i Digital Certificate Manager. Go to your DCM screen and open the certificate store where you intend to save these digital certificates. Once your certificate store is open, click on Fast path→Work with CA certificates from the left-hand menu of the Digital Certificate Manager screen. You’ll see a screen that looks something like this. (Click graphic to enlarge.) Scroll down to the bottom of the screen and click on the Import button to import the issuing certificate into the DCM. You’ll see a screen that looks like this. (Click graphic to enlarge.) Type in the IFS folder name and the name of the issuing certificate file in the import box (the Verisign Class 3 Primary CA – G5 certificate file name). The issuing certificate must always be loaded into your certificate store before you upload the issued certificate. Don’t put in a drive letter into the certificate folder name because you must import the certificate from your IFS, not from Windows. Simply put in the folder and file name delineated by left-slashes (where the bottom of the slash is positioned on the left-hand side of the character space). Click the Continue button and you’ll see a screen asking you for a certificate label. That screen will look like this. (Click graphic to enlarge.) Type in a certificate label name that’s descriptive of the certificate you’re uploading. Click Continue and the issuing digital certificate will be added to your Digital Certificate Manager. Go back and reload the Verisign Secure Server CA – G3 certificate to your DCM the same way you loaded the issuing certificate. Your certificate should load this time. Note: This technique will work for locating and uploading the issuing CA certificate for any certificate file that sends out your error message when uploading a certificate file to the DCM. The key is to track down the name of the issued by certificate authority and to download the issued by CA certificate file. Except for the names of your uploaded certificates, all the other steps will be the same no matter what certificate you’re having trouble loading. HTH –Joe Follow Me On My Blog, On Twitter, And On LinkedIn Check out my blog at joehertvik.com, where I focus on computer administration and news (especially IBM i); vendor, marketing, and tech writing news and materials; and whatever else I come across. You can also follow me on Twitter @JoeHertvik and on LinkedIn. Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.
|