Top Banner
PowerWire Logo
The trusted voice of the IBM Power community
IBMi Featured

An Automated TLS Certificate Tool

Terry Bartlett

2 min read
An Automated TLS Certificate Tool

Digital certificates are an increasing part of everyday life in every computer system.

The problem is that the industry wants to make them shorter and shorter and at the moment it’s a manual process to renew them. 

The IT industry came up with a protocol called ACME to automatically manage this renewal process.  Let’s Encrypt is a nonprofit organisation that issues and renews TLS certificates for free.

 Currently, there is no native IBM i ACME Service. So, I thought I’d create one. With the help of Rowton IT, I have just published an Open-Source repository in Github called RitFori/RitFori to help with automating the creation and renewal of TLS certificates.

TLS is used to secure traffic between users and applications on the IBM i, for instance HTTP applications.  Almost all of the Internet is now covered by TLS using HTTPS.

There are a lot of tools which allow other users on a network to access this traffic.  Without TLS this traffic is not secure.

RitFori will place your first certificate request into a JKS (Java Key Store) which will then be used for the RSE APIs (Remote System Explorer API). Using RSE APIs RitFori can create and renew your certificates into the IBM i DCM (Digital Certificate Manager).

Your first certificate can also be used for your application, as the certificate is loaded into the JKS and the DCM separately.

It has been tested on V7.4 and V7.5.  Currently it does not work on V7.6, it appears to require the intermediate Certificates E7 and E8 in order to install the Acme software. I will address this soon.

I have used Cloudflare for the domain API token. I hope that other companies with domain services will have the same token format.

There are a couple of places in the setup, where manual intervention is currently required. I’m hoping that IBM will cover these sometime in the future.  There are 2 Ideas to vote for, if you are inclined.

Checkout IBMs Ideas site for further information. 

I am also aware that IBM may be working on a solution of their own, as there is an Idea that was submitted in September for Native DCM support for ACME protocol.  However, I started to develop this application before that.

I hope that, if you are interested, you will have a look and suggest improvements, report problems or collaborate.