[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTPAPI and Digital Certificate

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: HTTPAPI and Digital Certificate
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Fri, 23 Jul 2004 12:39:12 -0500 (CDT)
In-reply-to: <009001c47023$d3450a60$01010a0a@ECook>
References: <20040721210147.90772.qmail@web50606.mail.yahoo.com><009001c47023$d3450a60$01010a0a@ECook>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>


Hi Elbert,

> It create a certificate application, and I assigned an self-signed
> certificate to it.
>
> (GSKit) Certificate is not signed by a trusted certificate authority.
> ssl_error(6000): (GSKit) Certificate is not signed by a trusted
> certificate authority.  SetError() #30: SSL Handshake: (GSKit)
> Certificate is not signed by a trusted certificate author

When you receive a digital certificate from a computer that you connect
to, you have to decide whether or not you trust that computer.  The way
that trust works in SSL, is that each certificate is "signed".  It gets a
digital signature from a company.

This company can be anybody, but there are companies like VeriSign and
Thawte that specialize in signing certificates.  Whomever signed the
certificate is called the "certificate authority."

The theory is, if you trust the certificate authority, then you know that
any certificate that they've signed is genuine.  For example, if VeriSign
signed my certificate then VeriSign thinks I'm a real person.  If you
trust VeriSign, then you should also trust me.

If I were a hacker, I wouldn't want you to be able to trace the
certificate back to me, so I wouldn't give VeriSign my information, and
they wouldn't sign a certificate for me.

Hopefully you get the idea...

To get HTTPAPI (or any other SSL application on the iSeries) to trust a
certificate, you have to make sure that the certificate authority for that
certificate is installed on the iSeries, and that your application trusts
it.

The server in the case of EXAMPLE3 uses a certificate from VeriSign which
is installed on the iSeries by default.  All you have to do is tell the
DCM that you trust certificates signed by VeriSign.

To do that:

a) Go into the Digital Certificate Manager (DCM) and log-in to the *SYSTEM
certificate store.

b) Select "Manage Applications" -> "Define CA Trust List" -> "Client"

c) Select "SCK_HTTPAPI_EXAMPLES" and click the "Define Trust List" button.

d) The next list will show all of the certificate authorities that are
installed on your iSeries.  Either select all of the certificate
authorites that you'll trust manually, or click the "Trust All" button.

e) Click the OK button at the bottom of the page.


Now try running EXAMPLE3 again.

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

Follow-Ups:
- Re: HTTPAPI and Digital Certificate
  - From: Elbert Cook

References:
- RE: HTTPAPI examples
  - From: Eduard Sluis
- HTTPAPI and Digital Certificate
  - From: Elbert Cook

Prev by Date: DCM - starting and stopping
Next by Date: Re: DCM - starting and stopping
Previous by thread: HTTPAPI and Digital Certificate
Next by thread: Re: HTTPAPI and Digital Certificate
Index(es):
- Date
- Thread