Troubleshooting
Problem
This document provides instructions for creating a server certificate issued by an external certificate authority. This process creates a Certificate Signing Request (CSR) that can then be sent to an external certificate authority to create a new certificate.
Resolving The Problem
This documentation describes how to use Heritage Digital Certificate Manager to create a certificate signed by an external Certificate Authority. If you would like to use the updated Digital Certificate Manager, see the following:
Note: Refer to the following document if this is a new configuration and there is no *SYSTEM store:
How to create the *SYSTEM store in DCM
1. In your browser address bar, type the following (where systemname is the IBM i system name or IP address).
http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
2. Click 'Select Certificate Store' located in the left pane and select '*SYSTEM', click Continue, enter the password, click Continue:
3. On the Left navigation, select 'Fast Path', then select 'Work with server and client certificates':
4. Click the 'Create' button at the bottom of this page and, when asked, select 'VeriSign or other Internet Certificate Authority (CA)':
5. Fill out the next page with your information and click 'Continue'. If this certificate is being used for a Web server, make sure the common name is the URL host name for your site. The label can be any descriptive name you choose:
6. Copy the certificate signing request (also known as a CSR) and send this to your certificate issuer to sign, making sure you get all the data and dashes. Click 'OK'.
7. Once you have the new certificate from the issuer, upload the file using FTP or a mapped drive to any directory in the IFS (but not in QDLS). Next, go back into DCM>'Fast Path'>'Work with server and client certificates', and click 'Import'. Then type the path to the certificate that was uploaded earlier in this step.
Note: If you get an error that the issuer is not trusted or not in the store, you may need to import the Certificate Authority (CA) certificate first and then come back and import the server certificate. For steps on importing a CA, refer to Rochester Support Center knowledgebase document New, 'How to Import a CA Certificate into Digital Certificate Manager':
8. Assign the new certificate to whatever applications you would like to secure. Note: Some applications may need to be restarted for the change to take affect:
How to create the *SYSTEM store in DCM
1. In your browser address bar, type the following (where systemname is the IBM i system name or IP address).
http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
2. Click 'Select Certificate Store' located in the left pane and select '*SYSTEM', click Continue, enter the password, click Continue:
3. On the Left navigation, select 'Fast Path', then select 'Work with server and client certificates':
4. Click the 'Create' button at the bottom of this page and, when asked, select 'VeriSign or other Internet Certificate Authority (CA)':
5. Fill out the next page with your information and click 'Continue'. If this certificate is being used for a Web server, make sure the common name is the URL host name for your site. The label can be any descriptive name you choose:
6. Copy the certificate signing request (also known as a CSR) and send this to your certificate issuer to sign, making sure you get all the data and dashes. Click 'OK'.
7. Once you have the new certificate from the issuer, upload the file using FTP or a mapped drive to any directory in the IFS (but not in QDLS). Next, go back into DCM>'Fast Path'>'Work with server and client certificates', and click 'Import'. Then type the path to the certificate that was uploaded earlier in this step.
Note: If you get an error that the issuer is not trusted or not in the store, you may need to import the Certificate Authority (CA) certificate first and then come back and import the server certificate. For steps on importing a CA, refer to Rochester Support Center knowledgebase document New, 'How to Import a CA Certificate into Digital Certificate Manager':
8. Assign the new certificate to whatever applications you would like to secure. Note: Some applications may need to be restarted for the change to take affect:
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CSxAAM","label":"Digital Certificate Manager-\u003EFAQs"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Historical Number
548869787
Was this topic helpful?
Document Information
Modified date:
11 August 2022
UID
nas8N1018506