mksystemcertstore

Use the mksystemcertstore command to create the Secure Sockets Layer (SSL) certificate or certificate signing requests (CSR) for specific use case.

Syntax

Read syntax diagramSkip visual syntax diagrammksystemcertstore-systemsigned-scopedefaultkeyserverinternal_communication-country<country>-state<state>-locality<locality>-org<organization>-orgunit<organizationunit>-commonname<commonname>-email<email>-subjectalternativename<alternative_list>-keytypekeytype-validitydays-autorenewyesno
Read syntax diagramSkip visual syntax diagrammksystemcertstore-externalsigned-scopedefaultkeyserver-country<country>-state<state>-locality<locality>-org<organization>-orgunit<organizationunit>-commonname<commonname>-email<email>-subjectalternativename<alternative_list>-keytypekeytype

Parameters

-systemsigned
(Optional) Generates a system signed SSL certificate.
-externalsigned
(Optional) Generates a request for certificate sign.
-scope default | internal_communication | keyserver
(Optional) Specifies the use case scope for which the certificate is to be generated. Values can be default, internal_communication, or keyserver.
Note: The internal_communication can only be used with -systemsigned parameter.
-country country
(Optional) Specifies the two digit country code.
-state state
(Optional) Specifies the state information for the certificate request.
-locality locality
(Optional) Specifies the locality information for the certificate request.
-org organization
(Optional) Specifies the organization information for the SSL certificate.
-orgunit organizationunit
(Optional) Specifies the organization unit information for the SSL certificate.
-commonname commonname
(Optional) Specifies the common name server or hostname.
-email email
(Optional) Specifies the email address that is used in the SSL certificate.
-subjectalternativename subject_alternative_name
(Optional) This parameter allows value to be specified for the Subject Alternative Name certificate extension field permitted in X.509 version 3 certificates. You can specify this parameter only with, -systemsigned or -externalsigned options. The parameter can specify a value up to 512 characters in length. To include some characters such as whitespace, newline or other special characters, apply the appropriate bash command line modifications to ensure the value is specified correctly. This is particularly important if non-character delimiters are used to specify multiple alternative names. For more information, see Table 1.
-keytype keytype
(Optional) Specifies the SSL certificate key type.
  • rsa2048
  • ecdsa384
  • ecdsa521
  • rsa4096
-validity days
(Optional) Specifies the number of days (1-9000) that the internally-signed certificates is valid.

Description

Use this command to create default or use case specific SSL certificate. The command can be used for the following items:
  • Generate an internally-signed certificates that is signed by the system's root certificate authority (CA). The root certificate has a long validity period and can be installed on browsers, devices and applications that support chain of trust checking. Internally-signed certificates can be renewed automatically.
  • Create a certificate signing request which is copied from the system and sent to an external certificate authority to sign.
Important: You must specify one of the following parameters:
  • -systemsigned
  • -externalsigned

An invocation example

The following example shows creating a new system certificate for keyserver use case that is signed by the system's internal root CA with automatic renewal enabled:

svctask mksystemcertstore -systemsigned -scope keyserver -commonname virtualize -country GB -locality Manchester -org IBM -orgunit Systems -email support@ibm.com -keytype rsa2048 -validity 355 -subjectalternativename "DNS:test.ibm.com"

The resulting output

System certificate store Object, id [1], successfully created.