Question & Answer
Question
This technote provides steps to properly export or import your local CA certificate or server (client) certificate within an updated DCM GUI environment between two IBM i LPARs.
Cause
This document assumes that DCM environment contains the local CA and *SYSTEM store.
For importing and exporting the server (client) certificate or local CA within Heritage DCM refer to this page:
If you need assistance with creating, importing or administrating digital certificates refer to our frequently asked question for DCM (Digital Certificate Manager):
DCM Frequently Asked Questions:
Heritage DCM Questions:
Answer
Exporting a server (client) certificate or CA certificate from the source DCM environment.
Step 1. Access the source DCM environment.
nonSSL method
http://ip:2006/dcm
SSL method:
https://ip:2007/dcm
If DCM is inaccessible, refer to this link.
Step 2. Login to the *SYSTEM store.
Click on "Open Certificate Store", then select "*SYSTEM".
Step 3. Locate the server (client) certificate or CA certificate that you want to export.
A) Click on the "+" icon on the lower right corner.
B) Next, click on the "Export" button.
Step 4. You need to provide the location where you would like the server (client) or CA certificate placed.
Note: The certificate export options are File, Store or Download. File option allows placement of certificates into any IFS location. Store option allows to export and immediately import into another CMS keystore. If you select "Download" the location of your certificate resides:
Note: The certificate export options are File, Store or Download. File option allows placement of certificates into any IFS location. Store option allows to export and immediately import into another CMS keystore. If you select "Download" the location of your certificate resides:
/QIBM/UserData/ICSS/Cert/Download
In this example we select "Download" option.
For an optional CA Certificate, take these steps.
Add a file and extension name for your CA certificate. In this example we use myCA.cer. Then, click "Export".
For an optional server (client) certificate, take these steps.
We want to include the private key into our PFX file. Select the "Include Private Key" checkbox. Next, we want a file and extension name. In this scenario we are using mycertificate.pfx. Then, click "Export".
We have now exported out the certificate(s) to the downloads location:
/QIBM/UserData/ICSS/Cert/Download
Step 5. We now download the certificate onto your Windows PC by clicking on the "Download Certificate" link on the left side of the screen.
Next select the server(client) certificate or CA certificate you wish to download. By clicking on "Download", your certificate(s) will be placed in this location C:\Users\<yourUserName>\Downloads on your Windows PC.
Importing the server (client) certificate or CA certificate into a different DCM environment.
Step 6. Open the updated DCM URL on the target machine.
nonSSL method
http://ip:2006/dcm
SSL method:
https://ip:2007/dcm
If DCM is inaccessible, refer to this link.
Step 7. Click on "Upload Certificate" on the left hand side of the DCM page.
Note: If you have recently downloaded a server/client certificate or a CA certificate to your Windows PC, it should be located at C:\Users\<yourUserName>\Downloads. Otherwise you may need to browser your Windows PC folders to locate your certificate(s) you wish to upload.
Click on "Choose File". Locate the server/client certificate or CA certificate that you wish to upload. Select the certificate file and then click "Open". Click on the "Upload" link.
Note: All uploaded files using this method will store the certificates in this IFS location:
/QIBM/UserData/ICSS/Cert/Upload
Upon successful upload you should see this confirmation in the upper right hand corner in DCM:
Step 8. Login to the *SYSTEM Store that you just uploaded the certificate(s) into.
Click on "Open Certificate Store" then, select "*SYSTEM".
Step 9. Importing the new server (client) certificate or CA certificate.
A) Click on the "Import" link.
B) Select either server (client) certificate or CA certificate. Ensure you select the correct link for the respective certificate type.
Note: If you recently uploaded the certificate(s) into DCM using the DCM GUI, then click on "Browse Uploads" to locate your certificate(s). If you have uploaded your certificates using FTP or other method, you can choose "Browse" to search the IFS.
C) Click on the certificate of choice. Then, click "Select" button.
D) Next click on "Continue".
E) Finally, click on "Import" button. If you are importing a server (client) certificate, it will ask you for a password for the file. For CA certificates it will ask you for a unique label. Upon a successful import, on the upper left hand screen of DCM you will see "Import Successful" message.
Congratulations! You have successfully moved your server (client) or CA certificate(s) from a source IBM i system to a target system using the updated DCM GUI interface.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m3p0000000rYKAAY","label":"Digital Certificate Manager-\u003ENew DCM"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
26 April 2025
UID
ibm17006531