Often when we are using software such as GETURI on our IBM i (System i, iSeries, AS/400) to communicate with a web service the communications are require Secure Sockets Layer (SSL).
When you create the *SYSTEM certificate store a few defaults Certificate Authorities (CAs) are added, but these days the defaults are normally not enough and we must manually import CAs into the *SYSTEM store. But, before we can do that we must export the CAs to our PC.
To export a CA (or a group of CAs), open your web browser to the URI that is used in the web services. For example, if we were using www.paypal.com, we would enter that in our web browser (preferably Chrome, but IE will work as well).
If you are provided the SSL certificate from your trading partner you can skip to the section on exporting each separate CA.
You can also retrieve a certificate using OpenSSL if the server isn't available via a webpage, such as a mail server. Once done you can skip to the section on exporting each separate CA.
Once at the site, if it is correct and uses SSL you'll see a small padlock or some other icon that we can click on to get more information about the certificate used at that site.
In the example above we are using Internet Explorer.
In the example above we're using Google Chrome.
In either case, clicking on this padlock (or double clicking on the certificate provided by your trading partner) will allow you to view the certificate information. When we do, we will see not only the certificate (at the bottom of the chain, www.paypal.com in this case) but the Certificate Authority (or Authorities) that have signed the certificate.
In this case, as with many certificates these days, our certificate is signed by one or more CAs, also known as a "chained root". The topmost CA is the root, and any CAs following are known as intermediate CAs.
We are interested in the two topmost items, VeriSign and VeriSign Class 3 Extended Validation SSL CA. These are the CAs we need to export from the website and import into the *SYSTEM certificate store on our IBM i.
Exporting Each Separate CA
To import these into our IBM i we must first export them starting from the topmost CA (in this case, named VeriSign). Follow these steps to export the CAs:
You should now have all of our CAs on your PC. In this example you should have 2 CAs.