More On Certificates
This month I have added some useful information about certificates on the IBM i.
Let’s Encrypt Certificates
In case you are not aware, Let’s Encrypt is changing the Root and Intermediate Certificate Authorities. Look up “Chains of Trust”.
The changes won’t take effect until May 2026 by default.
The new CAs can be downloaded from
github/letsencrypt – webite repository – static – certs – gen-y
The .der files can be loaded by uploading from PC to DCM then import CA manually.
I will be adding this process to RITFORI (see last month’s article).
From the 11th February 2026 you can use the following to get the new CAs with a certificate:
- Acme --certificate-profile tlsserver
- Cerbot --preferred-profile tlsserver
Certificate enquiries using SQL
Finally, here are 2 certificate enquiries using SQL:
SQL to find DCM certificates that expire in x days. In this case 15.
select CERTIFICATE_LABEL as CERT_LABEL,
VALIDITY_START,
VALIDITY_END,
SUBJECT_COMMON_NAME as SUBJECT_CN,
ISSUER_COMMON_NAME as ISSUER_CN
from table (
QSYS2.CERTIFICATE_INFO
(CERTIFICATE_STORE_PASSWORD => '*NOPWD',
CERTIFICATE_STORE => '*SYSTEM')
)
where date(VALIDITY_END) < current date + 15 days
order by VALIDITY_END
SQL to find CAs and certificates from Let’s Encrypt.
select CERTIFICATE_LABEL as CERT_LABEL,
VALIDITY_START,
VALIDITY_END,
SUBJECT_COMMON_NAME as SUBJECT_CN,
ISSUER_COMMON_NAME as ISSUER_CN
from table (
QSYS2.CERTIFICATE_INFO
(CERTIFICATE_STORE_PASSWORD => '*NOPWD',
CERTIFICATE_STORE => '*SYSTEM')
)
where ISSUER_ORGANIZATION = 'Let''s Encrypt '
More information can be found at Digital Certificate Manager for i (DCM) - Frequently Asked Questions and Common Tasks.