How To
Summary
This document will provide instruction on how to import personal certificates into a Digital Certificate Manager (DCM) keystore, specifically *SYSTEM, on the IBM i OS.
Environment
IBM i OS
New Digital Certificate Manager - IBM i 7.3, 7.4, & 7.5 ONLY!
The Digital Certificate Manager (DCM) has added a new GUI that simplifies and improves certificate management on IBM i.
- http://server:2006/dcm
- https://server:2007/dcm
New Digital Certificate Manager GUI
https://www.ibm.com/support/pages/node/6172821
https://www.ibm.com/support/pages/node/6172821
Required PTFs:
IBM i 7.5 - Included in GA code levels
IBM i 7.4 - SI71936 is the primary DCM PTF however all PTFs from System TLS enhancements to the TLSv1.3 and TLSv1.2 protocols should also be applied to ensure a seamless user experience.
IBM i 7.3 - SI72421 is the primary DCM PTF however all PTFs from IBM i 7.3 System TLS support for Transport Layer Security version 1.3 (TLSv1.3) must also be applied to ensure a seamless user experience.
Heritage Digital Certificate Manager - All IBM i versions
- http://server:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
- https://server:2010/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
Steps
NOTE: If you have not created a certificate signing request or CSR in your DCM *SYSTEM certificate store, this may be required before the new certificate is issued by your 3rd party certificate authority. If the certificate is a true renewal of an existing certificate, you can first try checking the box next to "Automatically Renewed Certificate" when importing your server/client. A certificate is a true renewal when all of the certificate information remains the same except for the validity period. In addition, the certificate chain would need to remain the same.
Here are a couple of documents on how to create a new Certificate Signing Request or CSR in DCM. After the CSR is created, you would supply the CSR data to your 3rd party certificate authority to be used when issuing you the new certificate.
How do I create a TLS server certificate issued by an Internet Certificate Authority?
How do I renew a certificate from an Internet Certificate Authority?
Extract the Root and Intermediate CA certificates from the personal certificate
1) Identify all certificates in the personal certificate chain.
Double-click the personal certificate *.cer of *.crt file on your PC and open it with CryptoShellExtensions application. If your file is a *.pem or *.arm, you will need to rename the file to *.cer or *.crt for the file to open automatically with CryptoShellExtensions.
After the certificate information is displayed, click the Certification Path tab.
2) Extract the Root CA certificate first (1st in the list) and then the Intermediate CA certificate (2nd in the list).
3) Double-click the first certificate or Root CA listed in the tree.
4) Click the Details tab.
5) Click the Copy to File... button.
6) Click Next on the Welcome to the Certificate Export Wizard screen.
7) Select the Base-64 encoded X.509 (.CER) option.
8) Browse and select a location and file name you want to export.
i.e. C:\Users\<WindowsUser>\Downloads\CA1.cer
9) Click the Save button.
10) Click the Next button.
11) Click the Finish button.
12) You will see a pop-up box stating "The export was successful."
13) Click the OK button.
14) Repeat steps 3-13 for the 2nd or Intermediate CA (CA2.cer) certificate in the tree if applicable. Typically, personal certificates are signed by an Intermediate Certificate Authority, which is then signed by a Root Certificate Authority, which would have been the previous CA certificate extracted.
15) After you have extracted the Root CA (CA1.cer) and Intermediate CA (CA2.cer) certificates from the personal certificate, you will need to either upload the certificates using the new certificate upload feature in the new Digital Certificate Manager application (IBM i 7.3 & 7.4 only) or manually FTP/transfer the certificates using ASCII mode to the IBM i server so you can import them into your Digital Certificate Manager keystore.
How to upload using the new Digital Certificate Manager Upload feature
1) Open a web browser and go to the NEW Digital Certificate Manager application URL:
- http://server:2006/dcm
- https://server:2007/dcm
2) Sign in with your IBM i user profile credentials. *SECADM, *ALLOBJ, and *IOSYSCFG special authorities are required to access the IBM i Digital Certificate Manager web application.
3) Click on Upload Certificate on the left menu.
4) Click on the Choose File grey button and select the Root CA, Intermediate CA, and personal certificate one-at-a-time to upload them to the /QIBM/UserData/ICSS/Cert/Upload IFS directory on your IBM i server.
5) Select your *.cer, *.crt, *.pem, etc. certificate file you want to upload and click the Open button.
6) Then, click the Upload button to complete the upload of the certificate file.
7) Repeat steps 4-6 for your Root CA, Intermediate CA, and personal certificates in the certificate chain.
8) You will now see the certificates listed and available for import under the Certificates section under the Upload Certificate view.
How to import the certificate chain into your Digital Certificate Manager keystore
NEW DIGITAL CERTIFICATE MANAGER
1) Open a web browser and go to the NEW Digital Certificate Manager application URL:
- http://server:2006/dcm
- https://server:2007/dcm
2) Sign in with your IBM i user profile credentials. If you are already signed in, proceed to the next step.
*SECADM, *ALLOBJ, and *IOSYSCFG special authorities are required to access the IBM i Digital Certificate Manager web application.
3) Click on the Open Certificate Store link under Actions.
4) Click on the *SYSTEM store, enter your certificate store password, and click on Open.
If you do not know the password, you can click on Reset Password to change the password. NOTE: This may affect ADMIN, IAS, and IWS application server TLS configurations specifying DCM as its keystore. Please ensure you have you security administrators approval before resetting your Digital Certificate Manager keystore passwords.
5) If you are able to successfully authenticate to the *SYSTEM store, a green message will display in the top-right corner of the page and the list of Server/Client Certificates will be displayed.
6) Click the Import link under Certificates.
7) Click the Certificate Authority (CA) certificate type.
8) Click the Browse Uploads link under the Path field.
NOTE: If you manually uploaded the certificates to your IBM i server, you can also use the Browse link under the Path field.
9) A list of uploaded certificates that reside in /QIBM/UserData/ICSS/Cert/Upload will be displayed. If you previously uploaded the Root CA, Intermediate CA, and personal certificates using the new Upload Certificate feature, you should see these certificates listed.
10) Click the radio button next to the Root CA CA1.cer (or Inter CA2.cer) file and click the Select link.
11) Click the Continue link.
12) Specify a unique label name that doesn't already exist in the *SYSTEM keystore.
i.e. MyAppRootCA or MyAppInterCA
13) Click the Import link to complete the import certificate process.
A green pop-up message will be display if the certificate import succeeded.
If the import was unsuccessful, please take note of the following import errors and what they mean.
This error indicates the certificate has already been imported or another certificate is already using the same certificate label name. You would want to verify if the certificate already exists in the *SYSTEM certificate store and if any other certificates are using the same label name specified. If you find the certificate already exists, you can simply move onto importing the Intermediate CA certificate. If you find an existing certificate is using the same label, try the import again using a different label value.
This error indicates one or more parent CA certificates need to be imported first before this CA certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
14) Repeat steps 6-13 to import your Intermediate CA (CA2.cer) certificate.
15) After the Root CA (CA1.cer) and Intermediate CA (CA2.cer) certificates have been imported, you would import the personal aka "server or client" certificate last.
16) Click the Import link under Certificates.
17) Click Server or Client for Certificate Type. (If the certificate is a true renewal and you did not create a CSR first, you can try clicking the "Automatically Renewed Certificate" box when importing your Server or Client certificate.)
18) Click the Browse Uploads link under the Path field.
This error indicates a matching certificate request for the personal certificate being imported cannot be found. Either a personal certificate request was not created in the Digital Certificate Manager keystore ahead of time or the new personal certificate was not correctly keyed based on the certificate request (CSR). To resolve this error, you will need to create a new certificate request in Digital Certificate Manager and have the personal certificate keyed off of this request OR you can obtain the personal certificate in a *.p12 or *.pfx PKCS12 keystore with a password assigned and use this file to import the personal certificate into your Digital Certificate Manager keystore.
This error indicates one or more parent CA certificates need to be imported first before this CA certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
NOTE: If you manually uploaded the certificates to your IBM i server, you can also use the Browse link under the Path field.
19) A list of uploaded certificates that reside in /QIBM/UserData/ICSS/Cert/Upload will be displayed. If you previously uploaded the Root CA, Intermediate CA, and personal certificates using the new Upload Certificate feature, you should see these certificates listed.
10) Click the radio button next to the Personal Certificate file and click the Select link.
11) Click the Continue link.
12) Specify a unique label name that doesn't already exist in the *SYSTEM keystore.
i.e. MyAppPersonalCA_YYYY
13) Click the Import link to complete the import certificate process.
A green pop-up message will be display if the certificate import succeeded.
If the import was unsuccessful, please take note of the following import errors and what they mean.
This error indicates a matching certificate request for the personal certificate being imported cannot be found. Either a personal certificate request was not created in the Digital Certificate Manager keystore ahead of time or the new personal certificate was not correctly keyed based on the certificate request (CSR). To resolve this error, you will need to create a new certificate request in Digital Certificate Manager and have the personal certificate keyed off of this request OR you can obtain the personal certificate in a *.p12 or *.pfx PKCS12 keystore with a password assigned and use this file to import the personal certificate into your Digital Certificate Manager keystore.
This error indicates one or more parent CA certificates need to be imported first before this CA certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
14) You can now assign the certificate to any server or client application.
HERITAGE DIGITAL CERTIFICATE MANAGER
1) Open a web browser and go to the Heritage Digital Certificate Manager application URL:
- http://server:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
- https://server:2010/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
2) Sign in with your IBM i user profile credentials. If you are already signed in, proceed to the next step.
*SECADM, *ALLOBJ, and *IOSYSCFG special authorities are required to access the IBM i Digital Certificate Manager web application.
3) Click the Select a Certificate Store button on the left.
3) Click the Select a Certificate Store button on the left.
4) Select the *SYSTEM certificate store.
If the *SYSTEM certificate store does not exist, you will need to create it using Create New Certificate Store.
5) Click the Continue button.
6) Enter your certificate store password, and click the Continue button.
This error indicates the certificate has already been imported or another certificate is already using the same certificate label name. You would want to verify if the certificate already exists in the *SYSTEM certificate store and if any other certificates are using the same label name specified. If you find the certificate already exists, you can simply move onto importing the Intermediate CA certificate. If you find an existing certificate is using the same label, try the import again using a different label value.
This error indicates one or more parent CA certificates need to be imported first before this CA certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
15) Repeat steps 8-14 for each Root CA and Intermediate CA certificate.
If the import was unsuccessful, please take note of the following import errors and what they mean.
This error indicates the certificate has already been imported or another certificate is already using the same certificate label name. You would want to verify if the certificate already exists in the *SYSTEM certificate store and if any other certificates are using the same label name specified. If you find the certificate already exists, you can simply move onto importing the Intermediate CA certificate. If you find an existing certificate is using the same label, try the import again using a different label value.
This error indicates one or more parent CA certificates need to be imported first before this personal certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
This error indicates a matching certificate request for the personal certificate being imported cannot be found. Either a personal certificate request was not created in the Digital Certificate Manager keystore ahead of time or the new personal certificate was not correctly keyed based on the certificate request (CSR). To resolve this error, you will need to create a new certificate request in Digital Certificate Manager and have the personal certificate keyed off of this request OR you can obtain the personal certificate in a *.p12 or *.pfx PKCS12 keystore with a password assigned and use this file to import the personal certificate into your Digital Certificate Manager keystore.
23) You can now assign the certificate to any server or client application.
If you do not know the password, you can click on Reset Password to change the password. NOTE: This may affect ADMIN, IAS, and IWS application server TLS configurations specifying DCM as its keystore. Please ensure you have you security administrators approval before resetting your Digital Certificate Manager keystore passwords.
7) Once authenticated, you will see a Fast Path section on the left.
8) Expand Fast Path and click Work with CA certificates.
9) Scroll down and click the Import button.
10) Specify the full IFS path to the Root CA certificate (i.e. /home/CA1.cer) you extracted in the beginning of this document.
NOTE: It is required the entire certificate chain be transferred to the IBM i IFS (i.e. /home) before the certificates can be imported using the Heritage Digital Certificate Manager web application.
11) Click the Continue button.
12) Specify a unique CA certificate label. It is advised to specify a label name that helps you uniquely identify this certificate and the application it is used by.
i.e. MyAppRootCA or MyAppInterCA
13) Click the Continue button.
14) A green message will display indicating, "The certificate has been imported."
If the import was unsuccessful, please take note of the following import errors and what they mean.
This error indicates the certificate has already been imported or another certificate is already using the same certificate label name. You would want to verify if the certificate already exists in the *SYSTEM certificate store and if any other certificates are using the same label name specified. If you find the certificate already exists, you can simply move onto importing the Intermediate CA certificate. If you find an existing certificate is using the same label, try the import again using a different label value.
This error indicates one or more parent CA certificates need to be imported first before this CA certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
15) Repeat steps 8-14 for each Root CA and Intermediate CA certificate.
16) Expand Fast Path and click Work with server and client certificates.
17) Scroll down and click the Import button.
18) Specify the full IFS path to the personal certificate (i.e. /home/certificate.cer) you want to import.
NOTE: It is required the personal certificate be transferred to the IBM i IFS (i.e. /home) before the personal certificate can be imported using the Heritage Digital Certificate Manager web application.
19) Click the Continue button.
20) Specify a unique certificate label if prompted. You will not be prompted to specify a certificate label when using a certificate request. The label will be the label used when creating the certificate request.
It is advised to specify a label name that helps you uniquely identify this certificate and the application it is used by.
It is advised to specify a label name that helps you uniquely identify this certificate and the application it is used by.
i.e. MyAppCertificate
21) Click the Continue button.
22) A green message will display indicating, "The certificate has been imported."
If the import was unsuccessful, please take note of the following import errors and what they mean.
This error indicates the certificate has already been imported or another certificate is already using the same certificate label name. You would want to verify if the certificate already exists in the *SYSTEM certificate store and if any other certificates are using the same label name specified. If you find the certificate already exists, you can simply move onto importing the Intermediate CA certificate. If you find an existing certificate is using the same label, try the import again using a different label value.
This error indicates one or more parent CA certificates need to be imported first before this personal certificate can be imported. If the parent CA has already been imported, it may need to be enabled. You must import the certificates in the certificate chain order beginning with importing the Root CA first, then the Intermediate CA, and then the personal or server/client certificate last. Refer to the section "Extract the Root and Intermediate CA certificates from the personal certificate" above to ensure you have extracted the Root and Intermediate CA certificates. You will need to import the Root CA certificate first and then the Intermediate CA certificate. The very last certificate imported will be the server or client certificate.
This error indicates a matching certificate request for the personal certificate being imported cannot be found. Either a personal certificate request was not created in the Digital Certificate Manager keystore ahead of time or the new personal certificate was not correctly keyed based on the certificate request (CSR). To resolve this error, you will need to create a new certificate request in Digital Certificate Manager and have the personal certificate keyed off of this request OR you can obtain the personal certificate in a *.p12 or *.pfx PKCS12 keystore with a password assigned and use this file to import the personal certificate into your Digital Certificate Manager keystore.
23) You can now assign the certificate to any server or client application.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CSxAAM","label":"Digital Certificate Manager-\u003EFAQs"}],"ARM Case Number":"TS007505431","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 June 2023
UID
ibm16515666