[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Wed, 16 Mar 2005 09:43:08 -0600 (CST)
In-reply-to: <005001c528a9$381e2190$cd660a04@NetvistaJay>
References: <20050310172943.X10108@red.klements.com> <20050310181037.D50623@grungy.dstorm.net><005001c528a9$381e2190$cd660a04@NetvistaJay>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

ssl_error(6000): (GSKit) Certificate is not signed by a trusted certificate
authority.

[SNIP]

Verify return code: 19 (self signed certificate in certificate chain)

[SNIP]

So what's happening is that the server is sending you a certificate. In that certificate is info that says "I was signed by XXXXX CA". The idea is that XXXX CA has looked over their credentials and trusts them. so if you trust XXXX CA, you also trust them.

Now, this CA can be one generated from the DCM or a similar piece of software on another operating system. In that case, it's the same thing, you have to say "I trust the CA in their DCM".

In any case, you have to get the CA certificate, install it in your DCM, and tell your application to trust it. (The only difference between VeriSign and the in-house-generated CA's is that VeriSign certificates ship with the DCM, whereas the others have to be downloaded and installed)


I have tried to add their cert to the DCM, but cannot find documentation on
how to do that and have failed at my attempts to DIY.

First of all, you have to get the certificate in the right format. That can be tricky, but the OpenSSL tool that you grabbed from my site does have the ability to perform conversions.

I'm at COMMON this week and don't have access to my iSeries to give you the exact details.

I'd try searching the Information Center for help. If that doesn't work, you can always resort to calling IBM for support. Or, maybe someone else on the list can give you the exact details.

I know this whole certificate thing is a pain in the butt. I'd like to point out, however, that this is actually OS/400 configuration that you're performing. It's not part of HTTPAPI, but part of OS/400. I'm only saying this because I don't want you to think that it's MY product that's giving you headaches :)

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

Follow-Ups:
- Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
  - From: Jay Peasley
- Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
  - From: Jay Peasley

References:
- Fw: Certificate is not signed by a trusted certificate authority(fwd)
  - From: Scott Klement
- Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
  - From: Scott Klement
- Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
  - From: Jay Peasley

Prev by Date: RE: Pointer math (merging ifs files)
Next by Date: Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
Previous by thread: Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
Next by thread: Re: Fw: Certificate is not signed by a trusted certificate authority(fwd)
Index(es):
- Date
- Thread