Importing a Certificate Authority (CA)

In some cases we will need to import one or more Certificate Authorities (CAs) into our *SYSTEM store.  You also have the option of importing them into your own store, but in most cases it's just as easy to import them into the *SYSTEM store.

The first thing you will need to do is upload the CAs you wish to import to your IBM i (System i, iSeries, AS/400).  I normally do this using FTP and store them in the /tmp directory on the IBM i. 

First, put the CAs in a directory on your PC that is easily accessible (I like to use a /temp directory on the C: drive).  Then, start up an FTP client.  I like to use the Windows basic FTP client.  This is started by using selecting Start-->Run and typing FTP into the prompt.   (For Windows 8 press the Windows button and the R key at the same time to get the Run prompt.

Once your FTP session is started, upload the CAs to your IBM i.  In this case I'm uploading them from C:\temp to the /tmp directory on our IBM i.

Here is the same FTP session, but as text.  The  BOLD text is the data that was entered:

ftp> open 172.29.171.59

Connected to 172.29.171.59.

220-QTCP at v171059.dal-ebis.ihost.com.

220 Connection will close if idle more than 5 minutes.

User (172.29.171.59:(none)): qsecofr

331 Enter password.

Password: **********

230 QSECOFR logged on.

ftp> cd /tmp

250-NAMEFMT set to 1.

250 "/tmp" is current directory.

ftp> lcd c:\temp

Local directory now C:\temp.

ftp> put cert1.cer

200 PORT subcommand request successful.

150 Sending file to /tmp/cert1.cer

226 File transfer completed successfully.

ftp: 1239 bytes sent in 0.25Seconds 4.96Kbytes/sec.

ftp> put cert2.cer

200 PORT subcommand request successful.

150 Sending file to /tmp/cert2.cer

226 File transfer completed successfully.

ftp: 1512 bytes sent in 0.05Seconds 32.17Kbytes/sec.

ftp> quit

Once your CAs are uploaded to your IBM i, go to the Digital Certificate Manager.

Select the "Open a Certificate Store" Link in either the left had side or the top of the page.


You should be presented with a list of available certificate stores to work with.  If the *SYSTEM store is not in this list, you must first Create Your *SYSTEM store.  Select the *SYSTEM store button.  

You will be asked to enter the password for the *SYSTEM store at this point.  Enter the password and click on the Continue button.  (Note, if you don't know the password, you can select the Reset Password option and change it without needing to know the prior password.)

Once viewing the *SYSTEM store to the right of the screen is a "filter" icon which you can click to select which types of certificates you wish to work with.  You can choose from Certificate Authorities (CAs), Server/Client as well as other options.  In this option we selected to view just CAs.

You will now see a list of CAs already installed on your system.  Most of them were installed when you created the *SYSTEM store. 

The option we are looking for is at the top of the screen and labeled Import.  Find this link and click on it.


You will be asked what type of certificate to import.  In this case we want to import a CA so select that option.  Once that is selected you will be asked to input the path of the CA to import.


Remember when we are importing CAs, if they are "chained" you need to start with the top most CA first and work your way down.  Otherwise you'll receive an error saying that the CA you tried to import was not trusted.  The nice thing about the new DCM is it now allows you to browse for the file.  Good thinking, IBM!.

You will now be presented with an input field to enter the CA certificate label.  This is really just a text description of what you want to call the CA.  You could use the description already associated with the CA, or anything you want. 

In some cases it may make more sense to label them for what they are used for (for example, Google Certificates for GMail could be named GMail 1, Gmail 2, etc.)

If you want to find the CA's official label, go back to the cer file on your PC and double click on it.  Select the Certificate Path tab and you will see what the CA is named.  That's what I did in this example and for the label used "Verisign Class 3 Public Primary Certification Authority - G5".

If the CA is successfully installed you will receive a message stating so.  If there is an error, that will also be displayed. 

In some cases when importing chained CAs you may get a message saying that the CA you tried to import already exists in the system store.  If that is the case, simply move on to the next CA in the list.

Repeat these options for each CA you need to import.