Exporting Certificate Authorities (CAs) from a Website
Often when we are using software such as GETURI on our IBM i (System i, iSeries, AS/400) to communicate with a web service the communications are require Secure Sockets Layer (SSL).
When you create the *SYSTEM certificate store a few defaults Certificate Authorities (CAs) are added, but these days the defaults are normally not enough and we must manually import CAs into the *SYSTEM store . But, before we can do that we must export the CAs to our PC.
To export a CA (or a group of CAs), open your web browser to the URI that is used in the web services. For example, if we were using www.paypal.com, we would enter that in our web browser (preferably Chrome, but IE will work as well).
If you are provided the SSL certificate from your trading partner you can skip to the section on exporting each separate CA .
You can also retrieve a certificate using OpenSSL if the server isn't available via a webpage, such as a mail server. Once done you can skip to the section on exporting each separate CA .
Once at the site, if it is correct and uses SSL you'll see a small padlock or some other icon that we can click on to get more information about the certificate used at that site.
In the example above we are using Internet Explorer.
In the example above we're using Google Chrome.
In either case, clicking on this padlock (or double clicking on the certificate provided by your trading partner) will allow you to view the certificate information. When we do, we will see not only the certificate (at the bottom of the chain, www.paypal.com in this case) but the Certificate Authority (or Authorities) that have signed the certificate.
In this case, as with many certificates these
days, our certificate is signed by one or more CAs, also known as a "chained root". The topmost CA is the root, and any CAs following are known as intermediate CAs.
We are interested in the two topmost items, VeriSign and VeriSign Class 3 Extended Validation SSL CA . These are the CAs we need to export from the website and import into the *SYSTEM certificate store on our IBM i.
Exporting E ach Separate CA
To import these into our IBM i we must first export them starting from the topmost CA (in this case, named VeriSign). Follow these steps to export the CAs:
- Double click on the CA in the list you wish to export. This will open another Certificate window.
- Click on the "Details" tab. You should see a button that says "Copy to File" as shown below. If you are using IE this button may be greyed out which is why I suggest using Chrome instead.
You should now have all of our CAs on your PC. In this example you should have 2 CAs.