Importing trusted server certificates
You may use an external certificate authorities (CA) (for example, Verisign or GoDaddy) or an internal CA that distributes its root certificates to users who need them. The Java Runtime Environment (JRE) is delivered with many root certificates from well-known authorities. If your server’s root certificate is not delivered with Java or your certificates are self-signed, then you must import the certificate manually.
For signed certificates, there might be several levels of intermediate signed certificates between the root certificate and the server certificate. Only the root certificate is required to be imported into the product. When a client establishes a connection to the server, the server sends the certificate chain, but it is not required to send the root certificate because it is assumed that the root certificate is already present on the client's computer.
Using the connect and import tool
The amicm_import_cert.sh tool attempts to establish a connection to a server (for example, LDAP or HMC) and obtain the complete certificate chain. If the server uses a self-signed certificate, you can use this tool to obtain the certificate for you. If the certificate is signed by an internal CA, this tool might not work.
The following example shows how to connect to an HMC to obtain its certificate:
# /opt/bmc/ami_cm/iocinst/bin/amicm_import_cert.sh hmc1.example.com:6794
Importing cert from /tmp/amicm.pem.KQLC
Certificate found:
Subject : CN=hmc1.example.com,OU=Mainframe Ops,O=The Big Company,L=Houston,ST=TX,C=US
Issuer : CN=hmc1.example.com,OU=Mainframe Ops,O=The Big Company,L=Houston,ST=TX,C=US
SHA1 : 2f:d6:3b:e1:20:bf:b1:02:02:f0:30:de:59:c6:9c:35:2c:4d:b7:86
SHA256 : 5e:58:27:15:76:ac:b1:24:5e:52:a8:35:db:bc:85:29:8d:e6:f6:08:f5:e6:0b:36:15:f9:a0:1c:7e:4f:60:9c
From date : Sun Oct 04 10:36:08 CDT 2020
To date : Wed Oct 02 10:36:08 CDT 2032
Do you trust this certificate and add it to the trust store? (y/n) y
#
The tool displays the relevant certificate information. Verify the SHA1 and the SHA256 fingerprints before accepting.
After you accept, the certificate is stored in the product’s truststore.
Importing from a PEM file
If the import tool reports an incomplete certificate chain, then you must obtain the root certificate from your CA. After you obtain the certificate, copy it to your Linux system and run the mvcm_trust_add.sh tool.
The following example shows how a certificate is imported from a PEM file:
Enter keystore password:
Owner: EMAILADDRESS=postmaster@example.com, CN=localhost.localdomain, OU=Test, O="The Big Company.", L=Houston, ST=Texas, C=US
Issuer: EMAILADDRESS=postmaster@example.com, CN=localhost.localdomain, OU=Test, O="The Big Company.", L=Houston, ST=Texas, C=US
Serial number: 0
Valid from: Tue Jun 21 12:34:16 CDT 2005 until: Mon Jun 16 12:34:16 CDT 2025
Certificate fingerprints:
SHA1: C5:F5:AD:D6:6E:E1:2E:15:75:6A:C2:43:BB:5D:12:43:31:66:D0:2A
SHA256: 9B:3B:F3:4F:14:87:80:3A:52:3C:B2:51:FE:62:24:1D:94:43:8F:24:FF:FE:9B:EA:51:6E:A6:C1:E6:32:E2:15
Signature algorithm name: MD5withRSA (disabled)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0D BE 7A D8 C2 00 62 28 2B 6D 78 14 FA 45 3A 1F ..z...b(+mx..E:.
0010: FA 6C 33 83 .l3.
]
[EMAILADDRESS=postmaster@example.com, CN=localhost.localdomain, OU=Test, O="The Big Company", L=Houston, ST=Texas, C=US]
SerialNumber: [ 00]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen: no limit
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0D BE 7A D8 C2 00 62 28 2B 6D 78 14 FA 45 3A 1F ..z...b(+mx..E:.
0010: FA 6C 33 83 .l3.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
#