IBM Support

New REST APIs to manage digital certificates



Remote System Explorer APIs to manage digital certificates


You are in: Welcome to IBM RSE API for i Technology Updates >  New REST APIS to manage digital certificates

What is it?

The Remote System Explorer (RSE) APIs have been enhanced to include new REST APIs to manage digital certificates and get information about TLS levels on the IBM i server.  A new category of services, called Security Services, has been created and contain the various security APIs shown in the following figure:
The new security APIs can be further sub-categorized as follows:
  • Digital certificate related APIs
    These APIs enables you to list certificates in certificate stores, get detailed information about certificates, delete certificates, import and export certificates.  You can also change certificate store passwords.
  • Application definition APIs
    These APIs enables you to list application definitions, associate/disassociate certificates to/from application definitions. In addition, you can add and remove certificate authority (CA) digital certificates from the application definition CA trust list. 
  • TLS APIs
    These APIs provide information about transport layer security (TLS) attributes and statistics for the system.
Here are some points to be aware of:
  • The DCM (those APIs with '/dcm/' in the API path) APIs only work on CMS certificate stores.  The IBM i system certificate stores are of type CMS.
  • All DCM APIs require *ALLOBJ and *SECADM special authorities.
  • Only server/client and CA certificates can be exported from a certificate store.  Certificates can be exported in the DER, PEM, or PKCS12 formats. A server/client or CA certificate that is to include the private key must be exported in the PKCS12 format. CA certificates without private keys cannot be exported in the PKCS12 format.
  • Only sever/client and CA certificates can be imported to a certificate store. A certificate can be imported in the following formats: PKCS12, DER, or PEM. If the certificate to be imported includes a private key, then the PKCS12 format must be used.  If importing a CA certificate and the certificate includes a private key, the PKCS12 format must be used, and the certificate type must be set to SERVER_CLIENT. When importing CA certificate that do not contain a private key, the PEM or DER format must be used.
  • You can change certificate store passwords either by passing in the current password or using the stash file.
  • The RSE API UI (https://host:2012/openapi/ui/) has more details and examples of the format of the API requests and responses.

Why use it?

Use can use the RSE APIs to automate digital certificate management remotely.


The support is enabled in the following PTFs:
V7R5M0 SI85817
V7R4M0 SI85818
V7R3M0 SI85819

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"HW1A1","label":"IBM Power Systems"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
19 March 2024