Exporting Certificate Authorities (CAs) from a Website

Often when we are using software such as GETURI on our IBM i (System i, iSeries, AS/400) to communicate with a web service the communications are require Secure Sockets Layer (SSL).

When you create the *SYSTEM certificate store a few defaults Certificate Authorities (CAs) are added, but these days the defaults are normally not enough and we must manually import CAs into the *SYSTEM store. But, before we can do that we must export the CAs to our PC.

To export a CA (or a group of CAs), open your web browser to the URI that is used in the web services. For example, if we were using www.paypal.com, we would enter that in our web browser (preferably Chrome, but IE will work as well).

If you are provided the SSL certificate from your trading partner you can skip to the section on exporting each separate CA.

You can also retrieve a certificate using OpenSSL if the server isn't available via a webpage, such as a mail server. Once done you can skip to the section on exporting each separate CA.

Once at the site, if it is correct and uses SSL you'll see a small padlock or some other icon that we can click on to get more information about the certificate used at that site.

In the example above we are using Internet Explorer.

In the example above we're using Google Chrome.

In either case, clicking on this padlock (or double clicking on the certificate provided by your trading partner) will allow you to view the certificate information. When we do, we will see not only the certificate (at the bottom of the chain, www.paypal.com in this case) but the Certificate Authority (or Authorities) that have signed the certificate.

UPDATE:

On the newer versions of Chrome you can find the certificate information by right clicking anywhere on the page and selecting "Inspect". This should open the Google Debugger. Click on the "Security" tab at the top and you should see a button that says "View Certificate" that will allow you to continue.

In this case, as with many certificates these days, our certificate is signed by one or more CAs, also known as a "chained root". The topmost CA is the root, and any CAs following are known as intermediate CAs.

We are interested in the two topmost items, VeriSign and VeriSign Class 3 Extended Validation SSL CA. These are the CAs we need to export from the website and import into the *SYSTEM certificate store on our IBM i.

Exporting Each Separate CA

To import these into our IBM i we must first export them starting from the topmost CA (in this case, named VeriSign). Follow these steps to export the CAs:

  1. Double click on the CA in the list you wish to export. This will open another Certificate window.
  2. Click on the "Details" tab. You should see a button that says "Copy to File" as shown below. If you are using IE this button may be greyed out which is why I suggest using Chrome instead.
  1. Click on the "Copy to File" button. This will open the Certificate Export Wizard.
  2. Click the "Next" button.
  3. You will see a page similar to the following:
  1. Select "DER encoded binary X.509 (.CER)" and click the Next button.
  2. You will now be asked to name the file. You can call it anything you want, but be sure to include the path in the file name. When exporting "chained" CAs I like to name them numbered in order I will need to import them, so in this case I would call it "c:\temp\cert1.cer" for the top level CA, "c:\temp\cert2.cer" for the next level, and so on.
  3. You will then be notified if the export was successful.
  4. Repeat this process with each CA in the chain until all of the CAs are exported. Note, the bottom item in the list is the actual certificate and does not need to be exported.

You should now have all of our CAs on your PC. In this example you should have 2 CAs.