IBM Support

How to extract CA certificates

Troubleshooting


Problem

extracting a certificate, -23 issuer not trusted

Resolving The Problem

There are several ways to get the certificates from a remote server, Wireshark, OpenSSL or GETSSL utility are a few

1. Wireshark Method


A) First get a trace of the connection TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(SSL) SIZE(500 *MB) TCPDTA(*N () (990))
* Change 990 to what ever port the connection is going to
B) Recreate the connection attempt
C) End the trace TRCCNN SET(*OFF) TRCTBL(SSL) OUTPUT(*STMF) TOSTMF('/tmp/TRCCNN.cap' *YES)
* *SMTF is for 710 with SI49669 and later releases. Earlier releases will need to use mmoose tools
Database 'DCF Technotes (IBM i)', View 'Products', Document 'MooseTools Information and Help' N1014020

D) Open the Wireshark trace and find the SSL Handshake

E) decode the connection as SSL if needed Analyze > Decode as




F) Filter for ssl.handshake.certificate or just look for Server Hello, Certificate

G) Expand the Secure Sockets Layer to the Certificate, each one of these is a certificate either Server or CA

H) The top certificate is typically the server certificate and everything below is are the CA's

I) Select the first CA and select Export Packet Bytes, then save as .cer


J) Do the same for the other CA's
K) Open up the exported .cer file and go to the details tab

L) Click on Copy to file and select Base 64

M) Give it a new file name and continue to the end


Now the CA file is in a base 64 format that cane be imported into DCM. For information on how to import a CA in DCM see DCF N1012543 and N1014798 for FTP SSL Client.

2. OpenSSL Method 5733SC1 is required
A) Open a PASE shell by typing call qp2term
B) Connect to the remote host using openssl command
openssl s_client -connect fsgateway.aexp.com:21 -starttls ftp -showcerts > /home/ftps.txt
Change the host name followed by the port to where you want to connect.
C) Exit PASE shell and open the /home/ftps.txt


Certificate chain
0 s:/C=US/ST=New York/L=New York/O=American Express Company/OU=File Services/CN=fsgateway.aexp.com
i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2
-----BEGIN CERTIFICATE-----
MIIFnjCCBIagAwIBAgIUdtWG4fFrmIpHF4nvisOQg9l1CGQwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gUHVibGljIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTIwHhcNMTYwMjA1MjAxNjQzWhcNMTgwNDIyMDAwMDAwWjCBizELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhOZXcgWW9yazEhMB8GA1UE
ChMYQW1lcmljYW4gRXhwcmVzcyBDb21wYW55MRYwFAYDVQQLEw1GaWxlIFNlcnZp
Y2VzMRswGQYDVQQDExJmc2dhdGV3YXkuYWV4cC5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC2XxAFiEv/1TRd1qS2kxJFZAqZRNPNm/K8XgHoX3hu
+In8KhrrmJX72jwHYyKY15gN9pLqIgKc11Dy7ebKxEgQPT4wSa5narI0f9uc75aK
V6zF6HRt9DKV2fk3R1CMKtWWz80fIqeoAUv6ospgVnkFQK0CrF+xQTLOVuRwR3QW
Wd14up/vbKm3VbONNxf1mZCd3oYRohj1t/Ij09XmAiFllhy2z9sp+77rEmuF2IVt
SV8gUaK0S/CuKfvp2p9cV59Dv5uAzjwXWenhOPgslTo/V7DAdlZwci+9lsnB8ya9
Ew6x9n1fL5zpIwLxZnkNIlfKllfAHP9o+ZE/GQ6mpjQRAgMBAAGjggH0MIIB8DAM
BgNVHRMBAf8EAjAAMEwGA1UdIARFMEMwQQYJKwYBBAGxPgEyMDQwMgYIKwYBBQUH
AgEWJmh0dHBzOi8vc2VjdXJlLm9tbmlyb290LmNvbS9yZXBvc2l0b3J5MIGpBggr
BgEFBQcBAQSBnDCBmTAtBggrBgEFBQcwAYYhaHR0cDovL3Zwc3NnMTQyLm9jc3Au
b21uaXJvb3QuY29tMDMGCCsGAQUFBzAChidodHRwOi8vY2FjZXJ0Lm9tbmlyb290
LmNvbS92cHNzZzE0Mi5jcnQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jYWNlcnQub21u
aXJvb3QuY29tL3Zwc3NnMTQyLmRlcjA3BgNVHREEMDAughJmc2dhdGV3YXkuYWV4
cC5jb22CGGZzZ2F0ZXdheS5pbnRyYS5hZXhwLmNvbTAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFOQtu5EB
ZSYftHo/oxUlpM6MRDM7MD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92cHNzZzE0
Mi5jcmwub21uaXJvb3QuY29tL3Zwc3NnMTQyLmNybDAdBgNVHQ4EFgQUgCbZCtEe
HDQVTwxEU4OQYXLTgH4wDQYJKoZIhvcNAQELBQADggEBAITjJufi+XWZFPv9KQOT
hYmATQXGXXgi1xoGbJOTLwPgJAMqGWOoGklRfBB2RWsPbsbPz9HWs9Zd6lnUgVWK
H6Th5+snszokvnSyQTyd1LCpOkslsAu+Yqoa5Kirn6goAGN+0WQfy1WbbMIsYInA
oqh0V9TYbsPX5YWJ/8x9aGNehAHFLLkLZvVNyPJnOvjqOHQg2/qK4oBBJ7lG7Auv
VCTfjZuVM3ulUmwQMhvsLkSyBwEhPRCX/NIl4jJw+QrSmIpWbiKQShcOfZqDdxQp
OPQ4FxpIjDm4cJnsI3W4gfvJsD9NwMd45B/goKevTQ/xFD1NQGec6cWlnRmsMegT
P7U=
-----END CERTIFICATE-----
1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIFHzCCBAegAwIBAgIEByemYTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDQwOTE2MDMwNloX
DTIxMDQwOTE2MDIxMFowgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJk
YW0xJTAjBgNVBAoTHFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNV
BAsTCkN5YmVydHJ1c3QxLjAsBgNVBAMTJVZlcml6b24gUHVibGljIFN1cmVTZXJ2
ZXIgQ0EgRzE0LVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDo
OwWImO3Kdhcb8lmJVOROdTidMxYJasOStOvLgnHWmzyn6VbeP1xeZbS8mIyHxY0m
916FlYdsWd3sKV+wnXFBZCnYJEvLTABe1dT3Tob4acjGEonr9RKiDbeBb6LcRA3Y
YHMmdnRAfzHtOAPj7CqVcSFdcib7HuTTf2Ot+xEzJkRyh7dPs+OcXvo0mBp8Oyga
TBTZiMg3d5t2UVZQbNf+3O2BMBVhnixXTA7JDEYf0RfLPdbbKjYxE9yez4ICwURL
JwSQUv/9Ylrb65NAVWpfmmceOU7LH0XvHy+6KHIZtnIxP53/w/X3Ui+X4o2R30jt
iDdq3McycOlB/Bv2zqAhAgMBAAGjggG3MIIBszASBgNVHRMBAf8ECDAGAQH/AgEA
MEwGA1UdIARFMEMwQQYJKwYBBAGxPgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v
c2VjdXJlLm9tbmlyb290LmNvbS9yZXBvc2l0b3J5MIG6BggrBgEFBQcBAQSBrTCB
qjAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2JhbHRpbW9y
ZXJvb3QwOQYIKwYBBQUHMAKGLWh0dHBzOi8vY2FjZXJ0Lm9tbmlyb290LmNvbS9i
YWx0aW1vcmVyb290LmNydDA5BggrBgEFBQcwAoYtaHR0cHM6Ly9jYWNlcnQub21u
aXJvb3QuY29tL2JhbHRpbW9yZXJvb3QuZGVyMA4GA1UdDwEB/wQEAwIBxjAfBgNV
HSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDegNaAzhjFo
dHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIwMjUuY3Js
MB0GA1UdDgQWBBTkLbuRAWUmH7R6P6MVJaTOjEQzOzANBgkqhkiG9w0BAQsFAAOC
AQEAdA8XA5Qvi4LTuB/IeCu44Bv/dFrvuhtUYUmrm1ZxQcbJ0Z8Vqyl54AT0tN8d
PmvBQk+ORWF2Ncoa7dvVX3UBT0Hnu2lITWEpq7ul6qFp6QWwnev2T8JlKJ6oeCCW
qmu71/Eo7YfYsxmhdwyPMZpwjYhyGXBdBhooEuoJLg9S2hUiyPdxG52Pr1pZJti5
A9dEYJfZ5etyfQyd+aO51rA8jpe3rpMS8blSBkfid8GrSawwSDvUTGFC18om4K70
vPHTStzKNAciUKSdAEY6VNzxkJOu6IkR5H3f6Sw/Mq9EOK9jg6t0qGWwu24WunkO
9KlgK++DdBLm13arqkkvSebisQ==
-----END CERTIFICATE-----
2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----

D) Each certificate will begin with -----BEGIN CERTIFICATE----- and end in -----END CERTIFICATE----- Typically the first one is the server certificate. Save
each CA to a separate file and import into DCM
Now the CA file is in a base 64 format that cane be imported into DCM. For information on how to import a CA in DCM see DCF N1012543 and N1014798 for FTP SSL Client.

3. Using the GETSSL utility see DCF doc N1010617

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
02 April 2021

UID

nas8N1022188