Command-line tools for working with Digital Certificate Manager (DCM) on IBM i.
Can be used in conjunction with CertBot to automate the acquisition/assignment/renewal of LetsEncrypt certificates
Currently still under development and without complete testing. Proceed at your own risk. I'm not kidding.
Used to import certificates into DCM.
It can be used to import files of type:
- Binary DER-encoded certificate files
- Binary DER-encoded certificate bundles
- Human-readable DER-encoded certificate files
- Human-readable DER-encoded certificate bundles
- JKS trust stores
- JCEKS trust stores
- PKCS#12 or PFX bundles
- A directory containing any of the above
- A
.zipfile containing any of the above
It can also be used to fetch certificates from a remote host and import to DCM.
Used to export the entire DCM keystore to file
Used to export a single certificate from a DCM keystore to file
Used to assign a certificate to a registered application
Used to renew a certificate, given a new certificate file, for instance, a new LetsEncrypt certificate from CertBot CertBot
View contents of a certificate store
Remove a certificate from a certificate store
Rename a certificate in a certificate store
Create a certificate store
Change a certificate store password
Check out the issues board for this project to see things that may be future enhancements to this toolset
Feel free to open an issue with any questions, problems, or other comments. If you'd like to contribute to the project, see CONTRIBUTING.md for more information on how to get started.
In any event, we're glad to have you aboard in any capacity, whether as a user, spectator, or contributor!
The ability to "Renew" a certificate (with the dcmrenew tool) requires IBM i 7.4.
yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.3.0/dcmtools-0.3.0-0.ibmi7.2.ppc64.rpm
Or, to build from source, clone this repository and run make install
Usage of the command is summarized as:
Usage: dcmimport [options] [[filename] ..]
Valid options include:
-y: Do not ask for confirmation
--password[=password]: Indicate that the input file is password-protected,
and optionally provide a password
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--fetch-from=<hostname>[:port] Fetch CA certificate(s) from the given hostname/port
--ca-only Only import CA Certificates
--cert=<id> Recommend a certificate ID when imported into DCM
--installed-certs: import all certificates that are installed into PASE
environment, for instance, certificates in the
ca-certificates-mozilla package
Usage: dcmexport <filename>
Valid options include:
-y: Do not ask for confirmation
--password[=password]: Indicate that the output file is password-protected,
and optionally provide a password
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--format=<format> Format of the output file (jceks, pks, pkcs12).
(default: pkcs12)
Usage: dcmexportcert [options] <filename>
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--cert=<id>: ID of the certificate to export
--format=<format>: Format of the output file (PEM/DER).
(default: PEM)
Usage: dcmassign [options] <application_id>...
Valid options include:
-y: Do not ask for confirmation
--cert=<id>: Certificate ID to assign
--dcm-store=<system/filename>: Specify the DCM certificate store, or specify 'system'
to indicate the *SYSTEM store (default)
For application id, specify the id as defined in DCM, or a 'shorthand' identifier.
Valid shorthand identifiers include:
5250
TELNET
HOSTSERVERS
HOSTSERVER
HOSTSVR
CENTRAL
DATABASE
DTAQ
NETPRT
RMTCMD
SIGNON
FILE
DIRSRV
SMTP
FTP
POP
OBJC
Usage: dcmrenew [[filename] ..]
Valid options include:
-y: Do not ask for confirmation
Usage: dcmview [options]
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
Usage: dcmemovecert [options]
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--label=<label>: Label of the certificate to remove
Usage: dcmrenamecert [options]
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--old-label=<label>: Label of the certificate to rename
--new-label=<label>: Label of the certificate to rename
Usage: dcmcreate [options]
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
Usage: dcmchangepw [options]
Valid options include:
-y: Do not ask for confirmation
--dcm-store=<system/filename>: Specify the target keystore, or specify 'system'
to indicate the *SYSTEM store (default)
--dcm-password=<password>: Provide the DCM keystore password (not recommended)
--password[=password]: Provide new password (not recommended)
Import certs from file myfile:
dcmimport myfile
Import all PASE-installed certificates (such as ca-certificates-mozilla) into DCM, without asking questions:
dcmimport --installed-certs --target=system --dcm-password=abc123 -y
Import the Java certificates from JV1's Java 8
dcmimport /QOpenSys/QIBM/ProdData/JavaVM/jdk80/64bit/jre/lib/security/cacerts
Renew a LetsEncrypt certificate
/opt/certbot/bin/certbot renew
dcmrenew /etc/letsencrypt/live/mydomain.dom/fullchain.pem
"I wrote some code. It seems to work. ¯\(ツ)/¯"
--@ThePrez, creator of DCM Tools