search

ThePrez / DCM-tools

Command-line tools for working with Digital Certificate Manager (DCM) on IBM i
Apache License 2.0
22 stars 5 forks source link

dcmimport - import a client/server certificate #47

Open richardm90 opened 11 months ago

richardm90 commented 11 months ago

I've installed the latest version of DCM-tools using the following command on my IBM i 7.5 server.

yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.3.0/dcmtools-0.3.0-0.ibmi7.2.ppc64.rpm

I am using the acme.sh script to generate a Let's Encrypt certificate, which gives me the following certificate files.

I can import the fullchain.cer certificate using the following command.

dcmimport /home/RICHARD/.acme.sh/certs/mydomain.uk_ecc/fullchain.cer

This imports three certificates in total. The first two are CA certificates and DCM-tools shows that these certificates are CA certificates with Is CA? true.

The third certificate is my domain certificate and DCM-tools shows this certificate as not a CA certificate with Is CA? false.

However my domain certificate is imported into DCM as a CA certificate not a client/server certificate.

I did try importing my domain certificate (i.e. mydomain.uk.cer) as a client/server certificate however it had the same result, the certificate was imported as a CA certificate rather than a client/server certificate.

I also tried importing my domain certificate (i.e. mydomain.uk.cer) as a client/server certificate via the DCM web ui but it doesn't like the certificate format, it requires a PKCS12 (PFX) format. So I converted my domain certificate with the following command.

openssl pkcs12 -export -inkey mydomain.uk.key -in mydomain.uk.cer -name mydomain -out mydomain.uk.pfx -password pass:<password>

When I then try importing the PKCS12 formatted certificate I get a null response.

$ dcmimport /home/RICHARD/.acme.sh/certs/mydomain.uk_ecc/mydomain.uk.pfx
Sanity check successful
checking for conflicting cert to the one with alias mydomain
cert has no alias
checking cert at alias mydomain
The following certificates will be processed:
    Certificate ID 'mydomain':
        NOT AN X.509 CERT!null
Do you want to import ALL of the above certificates into DCM? [y/N] y
null
$

I am able to import the PKCS12 formatted certificate via the DCM web ui as a client/server certificate.

Should it be possible to import my domain certificate as a client/server certificate?

My overall aim is to use Let's Encrypt for my app certificates, import them to DCM using dcmimport, assign them to my apps using dcmassign and then automate renewal using dcmrenew.

Virgule59 commented 10 months ago

Hi, i have same issue, try to script import certificate as a client/server certificate and assign it to application. but certificates is always import in Certificates Autority. is it possible to do that ?