I looked at letsencrypt and zerossl and decided on zero because I liked
the support, the 1 year certs, and their API. The API supports ACME but
hey, I call myself a programmer so I rolled my own. I use their email
authentication through an automated method I created, but they do have
DNS record authentication too. And of course a script runs on my server
to put the new certs in place and reload httpd.
It's those last couple of steps that I assume would need to be done
manually on an HMC via GUI. Or maybe IBM has addressed this and
provides an API or similar? I never asked, possibly because every HMC
I've ever touched, whether mainframe or peripheral, came up with a
self-signed key warning. But in their defense, most are only accessible
in the datacenter or behind a difficult-to-access jump box.
On 8/29/2023 12:38 PM, Grant Taylor wrote:
Let's Encrypt supports multiple authentication methods. One of which is
DNS based and can be used to authenticate an FQDN that can be resolved
via the public DNS tree.
This means that you can use an ACME client which supports DNS
authentication -- there are multiple -- to request a certificate for an
FQDN that is not accessible from the Internet. Ergo it is possible to
get a certificate that is signed by Let's Encrypt, a well known CA,
which you can then install in your HMC.
However, this will become labor intensive as you will need to do this
roughly every 90 days.
You could also play other games wherein you have an Internet accessible
web server running a fully automated ACME client. Have it act as a
proxy of sorts to provide a certificate and key for use on the HMC. --
Is this advisable, nope, not at all. Would it work, I think so. I'd
bet a fast food meal that it would work.
Aside: What is a "real CA" other than one that has their root
certificate(s) installed in clients? }:-)
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
