Checking Certificate Expiration

When using RPG API Express to connect to a web service via SSL, you might receive one of the following error messages:

  • “Error during initializing SSL. The value specified for the argument is not correct. RC(24) errno(3021)”
  • “Error performing SSL handshake. There is no error. RC(24-) errno(0)”

This error frequently indicates that one or more certificates have expired. Due to how IBM handles certificates, any expired certificate can cause this error to occur, even if the expired certificate is for an entirely different web service.

The easiest way to resolve this or eliminate it as a possible cause is to check if any certificates have expired, and either replace or remove them.

Checking Certificates

To begin, verify that the *ADMIN HTTP server job is running with the following command:

WRKSBSJOB SBS(QHTTPSVR)

If you don’t see *ADMIN in the list, please run the following command to start it:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

After you’ve ensured that the *ADMIN server is running, open a web browser (Internet Explorer is recommended), and go to http://YourIBMIPAddress:2001 - you should see a login page as seen below:

Enter your IBM i username and password, and click “Log in”. You should see a page split into two sections - a menu on the left, and a larger content area on the right that looks like the below image:

Click the “IBM i Tasks Page” link.

Now, click the “Digital Certificate Manager” link. You may be prompted to log in again - if you are, enter your IBM i username and password. It is recommended to log into the Digital Certificate Manager on a profile with elevated authority.

After you are logged in, click on the “Select a Certificate Store” button in the far left of the page. Then, select the *SYSTEM store and press the “Continue” button. If you do not see *SYSTEM, you will need to go set up SSL on your IBM i.

It will then prompt you for your *SYSTEM store password. Enter your password and select the “Continue” button.Note: If you do not remember the password, you can simply select “Reset Password” - you will be allowed to reset the password without knowing the previous password.

Next, select “Manage Certificates” on the left:

Click “Check expiration”, and then click “Continue”:

We recommend checking expiration for “Certificate Authority (CA)” first, but you may wish to check expiration for all 3 options. The remaining steps will be the same for each option:

This tool checks both for already expired certificates as well as certificates which will expire in the future. You can adjust how far into the future DCM should check, but simply using the default of 60 days is fine:

As you can see in this screenshot, the system detected one certificate which was expired. Any certificates which are expired can be removed by clicking “Delete”.

DCM will show you the details of the certificate, and ask you to confirm deletion. Click “Yes”:

If the deletion was successful, you should receive a message like this:

You should repeat this process to delete all expired Certificate Authority (CA) certificates. You should also consider performing these steps on “Server or client” and “User” certificates as well.