• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • How Do I Load This Digital Certificate On My IBM i Machine?

    April 17, 2013 Hey, Joe

    A banking client is requiring us to load a Verisign Class Secure Server CA – G3 certificate authority (CA) certificate on my IBM i box. But when I try to load it into Digital Certificate Manager (DCM), DCM gives me this error: “An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled.” What’s going on?

    –WC

    This is a fairly common problem and it has an easy solution. The certificate won’t load because in addition to loading the bank’s Verisign Class Secure Server CA – G3 certificate into your IBM i certificate store, you must also load the Verisign CA certificate that originally issued your Secure Server CA – G3 certificate. This is the “…issuer of the certificate may not be in the certificate store…” part of your error message.

    Simply put, you have to load two certificates to get the certificate you want on your machine:

    • The Secure Server CA – G3 certificate you received from the bank
    • The parent CA certificate that issued the Secure Server CA – G3 certificate

    On a Windows box, you could just load a Verisign Root Package that contains all the parent and child certificates you would want to use. On an IBM i box, there isn’t any root package that I know of, and you sometimes need to track down and load the issuing CA certificate before you can load the certificate you need. Here’s how to approach the process.

    Determine Which Certificate You Need To Load

    A digital certificate is really just a text file. To get information on a certificate file in Windows, make sure that the extension on the Secure Server CA – G3 text file is .cer. So if your digital certificate file name is Verisign secure server CA – G3, change the file name to be Verisign secure server CA – G3.cer. To get the “issued by” name for your certificate in Windows 7, simply double-click on the .cer file name and you’ll see a certificate properties screen appear that looks something like this.

    Click on the General tab in the certificate window and you’ll see the name of the certificate authority that issued the certificate (the “issued by” name). In this case, the issuing authority is Verisign Class 3 Public Private Certification Authority – G5. Save that name.

    Download The Issuing CA Certificate

    The next step is to download the issuing CA certificate file to an IBM i Integrated File System (IFS) folder where it can be uploaded to the Digital Certificate Manager. For Verisign, you can get that certificate from the Verisign Download Primary PCA Root Certificates website. The Verisign download site will look something like this.

    Figure 1

    (Click graphic to enlarge.)

    Scroll down to the issuing certificate that you want to download (Verisign Class 3 Primary CA – G5, in your case). You’ll see a link under the certificate description that says Download Root Now. Your screen will look something like this.

    Figure 1

    (Click graphic to enlarge.)

    Right click on the Download Root Now link for your certificate and select Save As or Save Target As from the pop-up menu that appears. It’s important that you right-click on the link to save the certificate file. Don’t double-click to open up the certificate and copy its contents to a text file. That may not work correctly. Use the Save As or Save Target As option to download your certificate file.

    If you can, save the issuing certificate file name with an extension of .cer to an upload folder on your IBM i IFS. If you can’t save the .cer file directly to your IFS folder, save it to your PC and then upload it to the target IFS folder later. Digital certificate files must be uploaded into an IBM i certificate store from the partition’s Integrated File System.

    Loading The Certificates To Your IBM i Digital Certificate Manager

    Once you have both CA certificates (the Verisign Secure Server CA – GE certificate and the issuing Verisign Class 3 Primary CA – G5 certificate), it’s a simple matter to upload them to your IBM i Digital Certificate Manager. Go to your DCM screen and open the certificate store where you intend to save these digital certificates.

    Once your certificate store is open, click on Fast path→Work with CA certificates from the left-hand menu of the Digital Certificate Manager screen. You’ll see a screen that looks something like this.

    Figure 1

    (Click graphic to enlarge.)

    Scroll down to the bottom of the screen and click on the Import button to import the issuing certificate into the DCM. You’ll see a screen that looks like this.

    Figure 1

    (Click graphic to enlarge.)

    Type in the IFS folder name and the name of the issuing certificate file in the import box (the Verisign Class 3 Primary CA – G5 certificate file name). The issuing certificate must always be loaded into your certificate store before you upload the issued certificate. Don’t put in a drive letter into the certificate folder name because you must import the certificate from your IFS, not from Windows. Simply put in the folder and file name delineated by left-slashes (where the bottom of the slash is positioned on the left-hand side of the character space). Click the Continue button and you’ll see a screen asking you for a certificate label. That screen will look like this.

    Figure 1

    (Click graphic to enlarge.)

    Type in a certificate label name that’s descriptive of the certificate you’re uploading. Click Continue and the issuing digital certificate will be added to your Digital Certificate Manager. Go back and reload the Verisign Secure Server CA – G3 certificate to your DCM the same way you loaded the issuing certificate. Your certificate should load this time.

    Note: This technique will work for locating and uploading the issuing CA certificate for any certificate file that sends out your error message when uploading a certificate file to the DCM. The key is to track down the name of the issued by certificate authority and to download the issued by CA certificate file. Except for the names of your uploaded certificates, all the other steps will be the same no matter what certificate you’re having trouble loading.

    HTH

    –Joe

    Follow Me On My Blog, On Twitter, And On LinkedIn

    Check out my blog at joehertvik.com, where I focus on computer administration and news (especially IBM i); vendor, marketing, and tech writing news and materials; and whatever else I come across.

    You can also follow me on Twitter @JoeHertvik and on LinkedIn.

    Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Databorough:  Transform SYNON 2E Model to MVC Java with X-2E 9.8
    Northeast User Groups Conference:  23nd Annual Conference, April 22 - 24, Framingham, MA
    New Generation Software:  FREE Webinar: Affordable IBM i Query/Reporting/Analytics. May 8

    More IT Jungle Resources:

    System i PTF Guide: Weekly PTF Updates
    IBM i Events Calendar: National Conferences, Local Events, and Webinars
    Breaking News: News Hot Off The Press
    TPM @ The Reg: More News From ITJ EIC Timothy Prickett Morgan

    Oracle Unveils In-Memory Applications for JD Edwards IBM Is Working On New Software Licensing Schemes

    Leave a Reply Cancel reply

Volume 13, Number 8 -- April 17, 2013
THIS ISSUE SPONSORED BY:

SEQUEL Software
WorksRight Software
American Top Tools

Table of Contents

  • Encoding XML (Or HTML) From Within RPG
  • Extract Zoned And Packed-Decimal Values From Character Fields, Take Two
  • How Do I Load This Digital Certificate On My IBM i Machine?

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24
  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle