How Do I Export an iSeries Certificate File?
January 25, 2012 Hey, Joe
I’m trying to export one of my i5/OS digital certificates into a PC file for server installation. Every time I try the export function, I get the message: An error occurred while opening files to write. What’s going on and how can I export the certificate to a file? I’m running i5/OS V5R4M5.
It could be the way you’re trying to export the file. Here’s how I’ve successfully downloaded digital certificates in the past, and where I’ve hit that particular message. Maybe this technique will help you export your certificate.
1. Start the IBM Web Administration for i interface on your iSeries or System i box by browsing to the following URL:
NOTE: In order to export your certificate, you’ll have to make sure the HTTP server administrator instance (ADMIN) is running on your System i box. To start the ADMIN HTTP server, run the following Start TCP/IP Server (STRTCPSVR) command.
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
You’ll see a screen that looks like this. Select the Digital Certificate Manager (DCM) option. This will open your system’s DCM.
2. Inside the DCM, click on the Select a Certificate Store button to access the certificate store that contains the certificate you want to download. This brings up the following screen. In my case, the certificate resided in the *SYSTEM certificate store, so I clicked on the *SYSTEM radio button and then clicked the Continue button.
3. At this point, the DCM always asks for a password to get into my certificate store. If I don’t remember the password, it gives me the option to reset it. Once the password is entered, I click on the “work with server and client certificates” option from the Fast Path dropdown in the left-hand pane on the screen. This brings me to the following screen where I can work with all my active certificates in the *SYSTEM certificate store.
Here, I click on the radio button of the certificate that I want to export (new default store – 2008 in this case) and then click on the Export button. The system will prompt me with a choice of whether I want to export the certificate to a file for use with another system, or whether the DCM should export the certificate to another certificate store on the same system. I’ll choose File and click on the Continue button to export the certificate to a stream file that I can copy and load on my server.
4. The Export Server or Client Certificate function will now prompt me for a fully qualified path name and an encryption password for the exported file (see next graphic below). If I specify a network or PC folder and file name for my export file, the DCM will give me the same An error occurred while opening files to write message you’ve been experiencing. The trick for certificate exports is that you can only export a DCM certificate to an AS/400 Integrated File System (AS/400 IFS) file. You can’t export it to a network or PC folder. If you try to save it to a PC-style folder, you will get that error.
So exporting your certificate file is really a two-step process. You have to export it to an AS/400 IFS folder first. Then you need to pull it off the IFS and move it to the server where it’s going to be installed.
To export my file, I type in the AS/400 IFS file location and name where I want to store the certificate, as well as an encrypted password to access the file contents. My transfer will look like this.
The other trick here is to make sure that I have the proper file extension for loading the exported certificate file onto my target server. In this case, I used the .cer extension (certificate), but I easily could have used other certificate file extensions such as .pfx, .p12, or .pem. Check your software to see what type of extension file is needed.
5. Once the certificate is downloaded to the IFS, I would then map a network drive to the IFS and copy (or drag and drop) the file to my PC. From here, it can be loaded to the server for HTTP processing, TELNET, FTP, or another system function needing a certificate. Be careful when emailing these files. Some email clients (including Microsoft Outlook) may be fussy about opening certificate files. You may have to zip the file or copy it to a shared drive or pen drive to get it to its intended recipient.