Information Center

Viewing server certificate information

To view server certificate information, click Communication > Security. When a secure connection has been attempted, the certificate is sent from the server. Even if the connection is not successful, the certificate might still be available to view. Select a field from the Field list. The value for the selected field is displayed in the Value field. The server's certificate might not contain values for all the fields.

If you cannot complete a secure connection to the server, your client might not trust the server's certificate. If this happens in a telnet session, COMM662 appears in the OIA of the emulator and error message ECL0009 is logged. For FTP sessions, a window appears displaying error message ECL0009. The message also appears in the status bar. To complete the connection, you can extract the appropriate server certificate and add it to the list of trusted CAs. If Show Issuer Certificate is not grayed out, click that button to display the issuer of the server's certificate and extract the issuer's certificate to a file. If Show Issuer Certificate is grayed out, click Extract to save the server's certificate to a file. You can then add it to the list of trusted CAs (for locally-installed clients) or send it to your Z and I Emulator for Web administrator to add to the CustomizedCAs.class on the server (for all other clients).

Administrators can no longer create or update CustomizedCAs.class using the Certificate Management utility (IKEYMAN) on Windows and AIX platforms. In order to update CustomizedCAs.class, they need to run a reverse-migration tool.

Certificates received over the Internet can be forged. The safest way to verify the authenticity of a certificate is to display the finger print of the certificate you have received, and then contact the administrator of the server you are connecting to and ask for the finger print of the certificate on the server. If the finger prints match, you have an authentic certificate and may safely add it to the list of trusted CAs.

Click Show Client Certificate to select and view a client certificate. This is a certificate file that was given to you by the person who requested and received your certificate.

Click Show CAs Trusted by the Client to see a list of CAs that the client can trust. These are the well-known CAs and the CAs listed in the CustomizedCAs.class located on the Z and I Emulator for Web server for download clients or the Z and I Emulator for Web locally-installed client. If the session is configured with Add MSIE browser's keyring set to Yes, then those trusted certificates will be displayed also.

Click Show Issuer Certificate to view information about the issuer of the requesting server's certificate, if it is available. This provides an additional security check because you can check that the certificate is signed by its expected CA.

You cannot view the server's certificate without attempting to connect to the server first. However, you can view your client certificates and see a list of CAs trusted by the client.

Related topics