Troubleshooting
Problem
This document provides basic steps to create your own Certificate Authority (CA), sign a CSR (certificate signing request) and create a PKCS12 formatted certificate for import to DCM, by using IBM i OpenSSL (Portable Utilities 5733-SC1).
Additional information about X.509 V3 extension parameters can be found: https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
Symptom
Create Certificate Authority and Self Signed Certificate outside Digital Certificate Manager GUI with OpenSSL.
Environment
Documentation was created based on OpenSSL 1.1.1t 08 Sep 2023.
Additional information and instructions can be found here:
https://www.ibm.com/docs/en/i/7.4?topic=device-portable-utilities-i
https://www.openssl.org/news/openssl-1.1.1-notes.html
https://www.ietf.org/rfc/rfc5280.txt
Diagnosing The Problem
Resolving The Problem
Step 1. Create a Certificate Signing Request (CSR)
openssl genrsa -out certificate.key 4096
openssl req -new -key certificate.key -out certificate.csr
If you need to sign this certificate request by an external Signer, you need to send certificate.csr and go directly to Step 3.
If you want to create your own Certificate Authority go on with Step 2a.
If you want to create your own Certificate Authority go on with Step 2a.
Step 2a. Create CA private key
openssl genrsa -out ca_certificate.key 4096
Step 2b. Create CA certificate from private key
openssl req -x509 -new -nodes -key ca_certificate.key -sha256
-days 1024 -out ca_certificate.cer
Step 2c. Create Server/Client certificate
openssl x509 -req -in certificate.csr -CA ca_certificate.cer
-CAkey ca_certificate.key -CAcreateserial -out certificate.cer
-days 500 -sha256
Go to Step 4.
Step 3. Prepare the certificate which get back from Certificate Provider
Step 3a. Double click to the certificate. You will see the Certificate Information
Step 3b. Click Certification Path, select the Root certificate (if there is an intermediate certificate available, repeat this action) and click View Certificate
Step 3c. On the Root certificate, click Details and Copy to File...
Step 3d. Rename / copy / merge CA files
If the root CA is not named ca_certificate.cer, you need to change the parameter -certfile in Step 4.
If your certificate is using a Root and an Intermediate Certificate, please follow this example to bundle it:
We assume that the Root and the Intermediate file is uploaded to the IBMi and your Shell session is in that directory:
Filename example:
root.cer
Filename example:
root.cer
intermediate.cer
cat root.cer > ca_certificate.cer
cat intermediate.cer >> ca_certificate.cer
Step 4. Create PKCS12
openssl pkcs12 -export -out certificate.p12 -inkey certificate.key
-in certificate.cer -certfile ca_certificate.cer
The created PKCS12 file can be used to import it into DCM.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CImAAM","label":"OpenSSL OpenSSH"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
02 October 2023
UID
ibm17031100