IBM Support

Extracting a CA Root Certificate from a Digital Certificate

Troubleshooting


Problem

This document provides information about resolving a problem when the error "issuer is not in the certificate database or is not trusted" is received when importing a digital certificate into Digital Certificate Manager.

Resolving The Problem

When importing a digital certificate into Digital Certificate Manager (DCM), it may fail with an error message that the issuer is not in the certificate store or is not trusted. The following process shows how to extract the CA certificate from the server certificate. After importing the CA root certificate (and any intermediate CA certificates), the server certificate can be imported.

Extracting the Root CA Certificate from a Digital Certificate

If the certificate file on your Microsoft Windows PC has an extension of .cer or .crt, it can be opened with the Windows certificate viewer. Do the following:

1.Double click on the file and you will see a window similar to the following:

In the Certificate window, click on the Certification Path tab.
2.Click on the Certification Path tab:

In the Certificate window, highlight the certificate.
3.You will see the certificate and the issuing certificate(s). Highlight the top level certificate (or the one you want to generate); this enables the View Certificate button. Click on View Certificate.

In the Certificate window, click View Certificate.

A new window will open up and display the certificate that was highlighted:

In the Certificate window, click on the Details tab.
4.Click on the Details tab.

In the Certificate window, press the "Copy to File" button.
5.Click on the Copy to File button. This opens a wizard:

Click Next on the Certificate Wizard window.
6.Click Next.
7.Select Base-64 encoded X.509 (.CER):

Select Base-64 encoded X.509 (.CER)
8.Specify a file name. You can click on Browse to select the path:

In the Certificate Export Wizard window, specify the file name.
9.Click Next.
10.Click on Finish:

In the Certificate Export Wizard window, click Finish.

The file with the name and path you specified will be created and you will get a Success message:

An "export was successful" box will be presented.
11.Move this file to the Integrated File System (IFS) on the IBM System i, and import it as a CA certificate using the following instructions:
12. Repeat this process for each intermediate CA certificate in the certification path.
13.Import the server certificate.

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU009","label":"Systems - Cognitive"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"5.4.0;5.4.5;6.1.0;6.1.1","Edition":""},{"Product":{"code":"SSC3X7","label":"IBM i 6.1"},"Business Unit":{"code":"BU009","label":"Systems - Cognitive"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Historical Number

457540658

Document Information

Modified date:
18 December 2019

UID

nas8N1014239