chsystemcert

Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a system.

Syntax

Parameters

-mksystemsigned

(Optional) Generates a new certificate that is signed by the system's root certificate authority. The certificate is activated immediately.

-mkrequest

(Optional) Generates a new certificate signing request in /dumps/certificate.csr. The file can be copied from the system and provided to a trusted third-party certificate authority. The certificate authority signs the request and provides a signed certificate that can be installed using the -install and -file parameters.

-country country

(Optional) Specifies the two digit country code.

-state state

(Optional) Specifies the state information for the certificate request. The value can be an ASCII string in the range 0 - 128 characters.

-locality locality

(Optional) Specifies the locality information for the certificate request. The value can be an ASCII string in the range 0 - 128 characters.

-org organization

(Optional) Specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.

-orgunit organizationunit

(Optional) Specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.

-commonname commonname

(Optional) Specifies the common name for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.

-email email

(Optional) Specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.

-subjectalternativename subject_alternative_name

(Optional) This parameter allows value to be specified for the Subject Alternative Name certificate extension field permitted in X.509 version 3 certificates. You can specify this parameter only with, -mksystemsigned or -mkrequest options. The parameter can specify a value up to 512 characters in length. To include some characters such as whitespace, newline or other special characters, apply the appropriate bash command line modifications to ensure the value is specified correctly. This is particularly important if non-character delimiters are used to specify multiple alternative names. For more information, see Table 1.

-keytype keytype

(Optional) Specifies the SSL certificate key type.

rsa2048
ecdsa384
ecdsa521
rsa4096

-validity days

(Optional) Specifies the number of days (1-9000) that the internally-signed certificates is valid.

-install

(Optional) Specifies the installing of certificate.

-file input_file_pathname

(Optional) Specifies the absolute path name of the certificate to install.

-export

(Optional) Exports the full chain of installed SSL certificates. The certificate is exported to the /dumps/certificate.pem directory on the configuration node.

-autorenew yes | no

(Optional) Turns automatic renewal on or off. When turned on, the system certificate will be renewed automatically 30 days before it expires. The -autorenew option is only supported when the certificate is signed by the system's root certificate authority. The default value when using an internally signed certificate is yes.

-cancel

(Optional) Cancel the certificate signing request to the external certificate authority that is currently in progress.

-exportrootcacert

(Optional) Exports the Root CA certificate from the installed SSL certificate chain.

The certificate is exported to the /dumps directory on the configuration node in following file:

/dumps/rootcacertificate.pem

Description

Use this command to manage the SSL certificate that is installed on a system. The command can be used for the following items.

Generate an internally-signed certificates that is signed by the system's root certificate authority (CA). The root certificate has a long validity period and can be installed on browsers, devices and applications that support chain of trust checking. Internally-signed certificates can be renewed automatically.
Create a certificate signing request which is copied from the system and sent to an external certificate authority to sign.
Install an externally signed certificate on to the system.
Export the full chain of installed certificates.

Important: You must specify one of the following parameters:

-mkrequest
-mksystemsigned
-install
-export
-exportrootcacert
-cancel
-autorenew

An invocation example

The following example shows creating a new system certificate that is signed by the system’s internal root CA with automatic renewal enabled:

svctask chsystemcert -mksystemsigned -commonname virtualize -country GB -locality Manchester -org IBM -orgunit Systems -email support@ibm.com -keytype rsa2048 
-validity 355 -subjectalternativename "DNS:test.ibm.com"

The resulting output

No feedback.

An invocation example

The following example shows creating a new certificate signing request that can be provided to an external CA. The resulting CSR file is located at /dumps/certificate.csr on the configuration node:

chsystemcert -mkrequest -commonname virtualize -country GB -locality Manchester -org IBM -orgunit Systems -state England -email support@ibm.com -keytype rsa4096 -subjectalternativename "DNS:test.ibm.com"

The resulting output

No feedback.

An invocation example

The following example shows installing a certificate that has been signed by an external CA and copied to the /dumps directory on the configuration node:

svctask chsystemcert -install -file /dumps/mycertificate.pem

The resulting output

No feedback.

An invocation example

The following example shows exporting the currently installed certificate chain to the /dumps directory on the configuration node:

svctask chsystemcert -export

The resulting output

No feedback.

An invocation example

The following example shows cancelling an outstanding certificate request:

svctask chsystemcert -cancel

The resulting output

No feedback.