Obtaining your new certificates and updating your
existing AS/400 application
You will need to obtain 2 certificates; a client certificate tied to your Information
Exchange account/userid and the PKI Services Root CA certificate. We want the new
client certificate, the new root CA and the old root CA to co-exist in the key database
until July 9, then the new root CA will be the only one used.
1. Obtain a client and PKI Services Root CA Certificate
a. Create a certificate using the instructions on the Web site
https://pki.tradinggrid.com/ .
b. Export your certificate to files using the instructions on the Web site under
the heading 'Method 2: Exporting your client certificate and CA as
separate files'.
https://pki.tradinggrid.com/expedite/webdocs.shtml#Process_Information
Make sure “Include all certificates in the certificate path if possible” is not
selected when you export the certificate.
Note 1: The iSeries OS/400 DCM (Digital Certificate Manager) is not able to import
the PKI services certificates directly. Since Internet Explorer can handle the PKI
Services certificates (Trusted Root CA and Client), as well as the formats used by the
iSeries, we need to first “install” the PKI Services certificates into Internet Explorer,
and then “export” them in a format which can be imported into the iSeries. The
Trusted Root CA certificate imported by the iSeries needs to be in a PKCS#7 format
(.p7b file extension). The Client (user/Personal) certificates imported by the iSeries
needs to be in a PKCS#12 format (.pfx file extension).
2. Method 2 instructions:
Exporting certificates - Method 2
Use this method if your client setup instructions tell you to do so. It creates
two PKCS#12 export files, one containing your client certificate and private
key, and another containing IBM's Signer Certificate.
3. Export the certificates (client certificate and private key, and root CA)
Client Certificate and Private Key
Follow steps 1 -13.
1. Select menu "tools/internet options.../content/certificates.../Personal
1
2. Choose the certificate you wish to export and click "export..."
(the ‘Issued By’ should say PKI Services Root CA2)
3. Select "Next >"
2
4.


Check "Yes, export the private key"
Click "Next >"
3
5. Check "Personal Information Exchange - PKCS #12 (.PFX)"
o
o
o
Make sure that "Include all certificates in the certification path if possible" is NOT
selected
Make sure "Enable strong protection (requires IE 5.0, NT 5.0 or above)" is NOT
selected
Click "Next >"
 Please note - some versions may have the extra check box: "Delete the
private key if the export is successful"
 Please ensure that this is definitely NOT checked!
6.


Choose a password for the file
Click "Next >"
4
7.


Specify a name for the file
Click "Next >"
5
8. Click "Finish”
9. Click “OK”
10. Click OK
11. Click “Close”
12. Click "OK"
13. The certificate is now available in the file you selected in step 7
IBM's Signer Certificate ( PKI Services Root CA certificate)
Perform steps 14 - 22:
14. Select menu "tools/internet options.../content/certificates.../Trusted Root
Certificate Authorities
6
15. Select the new ‘PKI Services Root CA2’ certificate and click "export..."
7
16. Click "Next >"
17.


Select the ‘Cryptographic Message Syntax Standard - PKCS #7
Certificates (.P7B)’ file format, and make sure no other options are
checked.
Click "Next >"
8
18.


Specify a name for the file (Ensure you enter a DIFFERENT name to the
one you entered for the client certificate).
Click "Next >"
9
19. Click “Finish”
20. Click “OK”
21. Click "Close"
22. Click "OK"
You are now finished with the exporting steps.
4. FTP the certificate files to the AS/400
a. After logging in, change the directory to a directory of your choice, for
example “/tmp” (Please ensure you use an IFS subdirectory only)
b. Change to binary mode
c. Transfer the PKCS#12 client file, which was exported from your Internet
Explorer browser, to the AS/400
d. Similarly, transfer the new PKI Services Root CA Certificate to the
AS/400
5. Managing Certificates in DCM
10
a. Using Internet Explorer, go to http://AS400HOST:2001 (replace
AS400HOST with the IP address of your AS400)
b. Log in:
c. Enter your AS/400 id and password and press “OK”
11
d. From the main tasks page, select “Digital Certificate Manager”
e. Then press the “Select a Certificate Store” button
12
f.
To assign a certificate to an application id, you must select the
“*SYSTEM” store, and press “Continue”
NOTE: if the *SYSTEM store doesn’t exist, you can create it by selecting the “Create
New Certificate Store” link on the left)
g. Enter the password and press “Continue”
13
h. Now, click on the “Manage Certificates” link
14
i. Select “Import Certificate” and press “Continue”
15
j. Select “Certificate Authority (CA) and press “Continue”
k. Enter the location of the new PKI Services Root CA2 certificate and press
“Continue”
16
l. Enter a label for the certificate e.g. “PKI Services Root CA2 Certificate
2011” and press “Continue”
17
m. The PKI Services Root CA2 is now imported
18
n. Click on the “Import certificate” link on the left
o. Select “Server or client” and press “Continue”
p. Enter the name of the PKCS#12 client file that you ftpd to your AS/400
and press “Continue”
(Note: “Include all certificates in the certificate path if possible” should not have
been selected when you exported your certificate from Internet Explorer)
19
q. Enter the PKCS#12 file’s password and press “Continue”
20
r. No need to press “OK”. The certificate is now imported.
s. Now, click on the “Manage Applications” link (we have done a ‘Collapse
All’ to keep the screen tidy)
21
t. Now, select the “Update certificate assignment” link
u. Now, select “Client” and press “Continue”
22
v. Select the radio button of your existing Application and press “Update
Certificate Assignment”.
23
w. Select the certificate you just imported. Notice that the Certificate Name
may or may not be useful. The “Common name” should be recognizable
though.
x. Press “Assign New Certificate”
24
y. Now, click on the “Define CA trust list” link (in “Manage Applications”
pull down)
25
z. Now, select “Client” and press “Continue”
aa. Select your application.
bb. Press “Define CA Trust List”
26
cc. Select the PKI Services Root CA2 Certificate 2011 and press “OK”. You
should get a message on the screen saying “Certificate Authority (CA)
changes applied.”.
dd. The certificate configuration is now complete.
ee. You should be able to use your existing job with the application id you just
update.
27