How to Protect Secure Websites & APIs from Certificates Expiring

API & web security on IBM iIf you have encrypted your website, API, Telnet server, or other service with TLS (SSL), good for you!

Now, do you know when those certificates will expire? If they expire without renewal, your service could become unavailable without warning.

In the past, to find expiration dates for digital certificates on IBM i, you’d either have to look in the Digital Certificate Manager (DCM), call the Retrieve Certificate Information (QYCURTVCI, QycuRetrieveCertificateInfo) API, or keep extremely good notes!

CERTIFICATE_INFO, an IBM i service recently delivered by IBM, solves all this. This SQL table function, documented here, returns a result table that contains information about server or Certificate Authority (CA) certificates, including their expiration date.

Here’s how to use CERTIFICATE_INFO to find expiring certificates.

Authorities needed

To call CERTIFICATE_INFO, the user must have *ALLOBJ and *SECADM special authorities and pass the certificate store password as a parameter.

Example: Certificates expiring one month out

The IBM documentation provides a practical example: listing certificates from the *SYSTEM certificate store (the default) that will expire within the next month. Note that the SQL below obtains the certificate store password from a global variable, which could be set elsewhere for security.

Running a simplified version of the example SQL on our system returned these results:
CERTIFICATE_INFO table function can identify certificates expiring soon

This is just one of many ways to help protect your IBM i when you offer APIs and other online access to your systems.

As reported in a previous article on Apache security fixes, we’re helping clients stay on top of web server security. If you’d like to set up a schedule with us, let me know.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.