Add external CA to trust list

From i2Rest
Revision as of 14:54, 13 April 2020 by Pavel.lobko (talk | contribs)
Jump to: navigation, search


When using the i2Rest Client to access external https resources, you might meet error "Certificate is not signed by a trusted certificate authority". In this case you will have to add the root CA certificate of the target server to the list of trusted certificates in DCM.

Here is one of ways to get the server's root CA certificate and register it in the DCM trust list.

DCM requires root CA certificate in PEM format. If you already have such file, you have to save it to IBM i directory and can go to step 8.

Using Firefox:

1. Open required page in Firefox:

[[attachment:Google - Mozilla Firefox 24.03.2020 12_42_43.png|Template:Attachment:Google - Mozilla Firefox 24.03.2020 12 42 43.png]] 400px

2. Click Lock icon and click Show connection details

[[attachment:Google keys.PNG|Template:Attachment:Google keys.PNG]] 400px

3. Click More information:

[[attachment:Page Info - https___www.google.com_ 24.03.2020 12_51_50.png|Template:Attachment:Page Info - https www.google.com 24.03.2020 12 51 50.png]] 400px

4. View Certificate:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 12_53_43.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 12 53 43.png]] 400px

5. Open rightmost tab with root CA authority:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 13_56_33.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 13 56 33.png]] 400px

6. Scroll down and click on link Download PEM (Cert), save downloaded file:

[[attachment:Save PEM cert.PNG|Template:Attachment:Save PEM cert.PNG]] 400px

7. Copy downloaded file to your IBM i folder, for example to /tmp/www-google-com.pem

8. Close opened page and go to DCM *SYSTEM store

9. Go to Manage Certificates and click Import Certificate:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 13_05_59.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 13 05 59.png]]400px

10. Select Certificate Authority (CA) and press Continue:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 13_28_05.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 13 28 05.png]]400px

11. Enter path to downloaded chain file (at IBM i) and click Continue:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 13_16_57.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 13 16 57.png]] 400px

12. Enter certificate label for imported CA (up to you, don't have to be the same as CA common name):

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 13_19_51.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 13 19 51.png]] 400px

13. Press Continue:

[[attachment:about_certificate - Mozilla Firefox 24.03.2020 14_01_56.png|Template:Attachment:about certificate - Mozilla Firefox 24.03.2020 14 01 56.png]] 400px

Certificate imported.

Retrieved from "https://www.i2rest.com/index.php?title=Add_external_CA_to_trust_list&oldid=345"