Renewing a Third-Party SSL Certificate in Digital Certificate Manager (DCM)

NOTE: For instructions on how to perform this task using the updated Digital Certificate Manager for i GUI see the following documentation:

https://www.ibm.com/docs/en/i/7.5?topic=certificate-renewing-from-internet-ca

To renew a third-party SSL certificate, you first need to access the Digital Certificate Manager using the following URL (replace systemname with the name or IP address of the system):

http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

1. In Digital Certificate Manager, click Select a Certificate Store on the left, select *SYSTEM, and click Continue.



2. Sign into the *SYSTEM store (or if you do not remember the password, click Reset and it will allow you to change it to a new password).

3. On the left menu, expand Fast Path and click Work with server and client certificates.



4. Click the radio button next to the certificate you would like to renew and click Renew at the bottom:



5. Select VeriSign or other Internet Certificate Authority (CA) and click Continue:



6. If you have subscribed to an automatic renewal service from your third-party CA, they will have sent you a new certificate automatically without needing to manually renew. If this is the case, select No - Import the renewed signed certificate from an existing file and click Continue . You then will be asked to provide the IFS path to the renewal file that you were sent.

If you have not subscribed to an automatic renewal service, you will need to select Yes - Create a new key pair for this certificate. Click Continue:


7. If you chose to create a new key pair, the next screen will pull in all the existing information from the certificate. You then need to give it a new unique certificate label and potentially change the key size if you would like it to be higher than the default of 1024. Once this done, click Continue:


8. You should see a screen that looks like the following:



Highlight the block of text that begins with '-----BEGIN NEW CERTIFICATE REQUEST-----' and ends with '-----END NEW CERTIFICATE REQUEST-----'. This is the Certificate Signing Request (CSR). Once this is copied, paste it into a text editor like Notepad on Windows and save it (Once you leave this screen, you cannot see this data again). Once this text is saved, you should click OK.

9. You then need to go out to the Certificate Authority Web site that is going to issue the certificate (VeriSign, Thawte, and so on) and, on their renewal form, paste the CSR text you copied. You will be e-mailed a signed certificate.

10. Once you have the new certificate from the issuer, upload the file using FTP or a mapped drive to any directory in the IFS (not in QDLS). Next, go back into DCM>Fast Path>Work with server and client certificates, and click Import. Then type the path to the certificate that was uploaded earlier in this step.

Note: If you get an error that the issuer is not trusted or not in the store, you may need to import the Certificate Authority (CA) certificate first and then come back and import the server certificate. For steps on importing a CA, refer to document 8N1012543, How to Import a CA Certificate into Digital Certificate Manager:


11. Assign the new certificate to whatever applications you would like to secure. Note: Some applications may need to be restarted for the change to take effect: