dcmimport - import a client/server certificate #47
Comments
|
Hi, i have same issue, try to script import certificate as a client/server certificate and assign it to application. but certificates is always import in Certificates Autority. |
|
Hi Thank you for posting this thread - I'm trying to setup automation as well on an IBMi V7R4 and V7R5 Pase environment - using certbot Currently I can only use an Older certbot 1.23 and older Python 3.6.15 - because trying to use the newer Python 3.9.20 - I get errors on the certbot build and install - Anyways - I'm having the same issue with the dcmimport and dcmassign commands - I can create a certbot certificate - The files that get created are - README cert.pem chain.pem fullchain.pem privkey.pem - I have to run the following to get a pfx file - openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -name MYDOMAIN -password pass:MyPassWord -y *Note - I have found that if I use the fullchain.pem - it creates a CA Certificate with the Ca Certs when importing into dcm - If i use the the chain.pem - it will create the Server/Client Certificate with the CA Certs - which is what I want - It Creates the mydomian.pfx - when I try the dcmimport command - it does not create the certificate in DCM - dcmimport /Certs/PHXASU01/privu01.pfx --dcm-password=MyPassWord -y - Sanity check successful however if I import manually into DCM it creates it just find - Also I have to manually assign the Services and Applications - Is there a Newer Version of dcmimport - or is there a Workaround to importing the certificates into DCM - The goal like everyone else is to automate the process - |
I've installed the latest version of DCM-tools using the following command on my IBM i 7.5 server.
yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.3.0/dcmtools-0.3.0-0.ibmi7.2.ppc64.rpmI am using the acme.sh script to generate a Let's Encrypt certificate, which gives me the following certificate files.
I can import the fullchain.cer certificate using the following command.
dcmimport /home/RICHARD/.acme.sh/certs/mydomain.uk_ecc/fullchain.cerThis imports three certificates in total.
The first two are CA certificates and DCM-tools shows that these certificates are CA certificates with
Is CA? true.The third certificate is my domain certificate and DCM-tools shows this certificate as not a CA certificate with
Is CA? false.However my domain certificate is imported into DCM as a CA certificate not a client/server certificate.
I did try importing my domain certificate (i.e. mydomain.uk.cer) as a client/server certificate however it had the same result, the certificate was imported as a CA certificate rather than a client/server certificate.
I also tried importing my domain certificate (i.e. mydomain.uk.cer) as a client/server certificate via the DCM web ui but it doesn't like the certificate format, it requires a PKCS12 (PFX) format. So I converted my domain certificate with the following command.
openssl pkcs12 -export -inkey mydomain.uk.key -in mydomain.uk.cer -name mydomain -out mydomain.uk.pfx -password pass:<password>When I then try importing the PKCS12 formatted certificate I get a null response.
I am able to import the PKCS12 formatted certificate via the DCM web ui as a client/server certificate.
Should it be possible to import my domain certificate as a client/server certificate?
My overall aim is to use Let's Encrypt for my app certificates, import them to DCM using dcmimport, assign them to my apps using dcmassign and then automate renewal using dcmrenew.
The text was updated successfully, but these errors were encountered: