How To
Summary
This technote explains how to resolve the error stating that the *SYSTEM store is empty.
Environment
Using the system debugger in the latest versions Visual Studio Code for i features requires SSL (TLS) connections. In order to set that up, perform the following steps in Navigator for i:
- Select 'Network', then 'Servers', then 'TCP/IP Servers'.
- Right-click on 'System Debugger' and select the action 'Regenerate Debug Service Trust Store'.
- Sign in with the password for the *SYSTEM certificate store.
If you receive an error stating that the *SYSTEM store is empty, the error is a bit misleading. It doesn't mean that the store is completely empty, it means that it found no client or server certificates (likely only finding Certificate Authority certificates).
To investigate this further, you need to log in to DCM (Digital Certificate Manager). There is a link for it in the Navigator for i 'Bookmarks' section, select this link and log in to DCM. Within DCM select the 'Open Certificate Store' option and select *SYSTEM. Click the filter icon and select only the 'Server/Client Certificate' option as showing in the following screen capture.
If the error is correct, it will show no certificates and you will need to create one.
If you want to avoid having to paying for the certificate, you will need to create it as a self-signed certificate. That is, one that is signed by a locally created certificate authority. You can use the filter to show only 'Certificate Authority' certificates. If you only see ones that say, VeriSign, Symantec, RapidSSL, Thawte, Go Daddy, etc. those are not self-signed. Self-signed CAs have a name that startw with LOCAL_CERTIFICATE_AUTHORITY_. If you have one and it is valid (not expired, not using obsolete ciphers) continue to the next section on Creating Server Certificate.
Creating A Local Certificate Authority
To create a self-signed CA, click the 'Open Certificate Store' option on the left, select 'Local CA' and provide the password for the certificate store.
Click the 'Create' button. All of the fields with a red 'X' next to them are required. If you have a question about what the field is for, click the '?' button in the upper right corner of the page. Select a modern 'Key Algorithm and Size', and 'Hash Algorithm' value. Select a reasonable validity period in days (1068 for example). With all of the required fields filled in, click the 'Create' button to create a local CA. With a local CA in place, we can move on to create the Server Certificate.
Creating A Server Certificate
In DCM click the *SYSTEM store on the left side (we opened it earlier, if it isn't listed, select 'Open Certificate Store' and select *SYSTEM). Click the 'Create' button near the top of the screen, then select 'Local CA' for the type. Select your local CA from the 'Local CA' list. All of the fields with a red 'X' next to them must be filled in. The Label can be any unique name, I recommend making CA or Certificate_Authority part of the label to easily distinguish the type of certificate. For the common name, use the fully qualified host name of the system (CFGTCP option 12 to view what that is set to). Also select the 'Domain Name Address' and 'IPv4 Address' options after the 'Subject Alternative Name' and provide the fully qualified host name for the former and all of the active IP interfaces (CFGTCP option 12, F11 to view them) for the latter options. Click 'Create' to complete the creation. Note that you do not need to assign this certificate to any applications to use it with the system debugger. If you want to use it for secure connections with FTP or the host servers, assign the certificate to those applications.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGhAAM","label":"Digital Certificate Manager-\u003ECommon Errors"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0;7.1.0;7.2.0;7.3.0;7.4.0;7.5.0;7.6.0"}]
Was this topic helpful?
Document Information
Modified date:
24 July 2025
UID
ibm17240599