chsystemcert
Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a system.
Syntax
Parameters
- (Optional) Generates a self-signed SSL certificate. If you do not specify -mkselfsigned, you must specify -mkrequest, -export, or -install.
- (Optional) Generates a certificate request. If you do not specify -mkrequest, you must specify -mkselfsigned, -export, or -install.
- (Optional) Install a certificate. If you do not specify -install, you must specify -mkselfsigned, -mkrequest, or -export.
- (Optional) Exports the current SSL certificate. The certificate is exported to the /dumps/certificate.pem directory on the configuration node. If you do not specify -export, you must specify -mkselfsigned, -mkrequest, or -install.
- (Optional) If specified, this parameter allows free-form input data for the Subject Alternative Name field of the self-signed certificate and the certificate signing request. The new information is included under Requested Extensions and under the subsection X509v3 Extensions: Subject Alternative Name. You can specify this parameter only with -mkselfsigned or -mkrequest.
- For -mkselfsigned, this parameter specifies the 2-digit country code for the self-signed certificate.
- For -mkselfsigned, this parameter specifies the
state information for the self-signed certificate. The value can be an ASCII string from
0-128characters. - For -mkselfsigned, this parameter specifies the locality information for the self-signed certificate. The value can be an ASCII string in the range 0 - 128 characters.
- For -mkselfsigned, this parameter specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
- For -mkselfsigned, this parameter specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
- For -mkselfsigned, this parameter specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
- For -mkselfsigned, this parameter specifies the common name for the SSL certificate. The value can be an ASCII string of 0 - 64 characters.
- Specifies the number of days
(
1-9000) that the self-signed certificate is valid. - Specifies the SSL certificate key type.
- rsa2048
- ecdsa384
- ecdsa521
- Specifies the absolute path name of the certificate to install.
- Specifies that the certificate request can be deleted.
Description
Use this command to manage
the SSL certificate that is installed on a system. You can also do the following items.
- Generate a new self-signed SSL certificate.
- Create a certificate request to be copied from the system and signed by a certificate
authority (CA).Note: The signed certificate that is returned by the CA can be installed.
- Export the current SSL certificate (for example to allow the certificate to be imported into a key server).
Important: You must specify one of the following parameters:
- -mkselfsigned
- -mkrequest
- -install
- -export
An invocation example to create a self-signed certificate
chsystemcert -mkselfsignedThe detailed resulting output
No feedbackAn invocation example to create a self-signed certificate with a common name
chsystemcert -mkselfsigned -commonname weiland.snpp.comThe detailed resulting output
No feedbackAn invocation example to create a self-signed certificate with a key type and a 1-year validity period
chsystemcert -mkselfsigned -keytype ecdsa521 -validity 365The detailed resulting output
No feedbackAn invocation example
chsystemcert -mkrequest -country GB -state England -locality Manchester
-org IBM -orgunit Storage -email support@ibm.com -commonname 9.71.47.125 -subjectalternativename
"IP:9.71.47.125 IP:9.71.47.216 IP:9.71.47.238 DNS:tb5hshared2-n1.ssd.hursley.ibm.com DNS:tb5hshared2-n2.ssd.hursley.ibm.com
DNS:tb5hshared2-cl.ssd.hursley.ibm.com DNS:*.ssd.hursley.ibm.com IP:2002:914:fc12:849:9abe:94ff:fe31:9a9\nemail:support@uk.ibm.com
\tURI:https://tb5hshared2-cl.ssd.hursley.ibm.com"The detailed resulting output
X509v3 Subject Alternative Name:
IP Address:9.71.47.125, IP Address:9.71.47.216, IP Address:9.71.47.238,
DNS:tb5hshared2-n1.ssd.hursley.ibm.com, DNS:tb5hshared2-n2.ssd.hursley.ibm.com,
DNS:tb5hshared2-cl.ssd.hursley.ibm.com, DNS:*.ssd.hursley.ibm.com, IP Address:2002:914:FC12:849:9ABE:94FF:FE31:9A9,
email:support@uk.ibm.com, URI:https://tb5hshared2-cl.ssd.hursley.ibm.comAn invocation example
svctask chsystemcert -mkselfsigned -country GB -state England -locality Manchester
-org IBM -orgunit Systems -commonname 9.71.48.46 -email support@ibm.com -subjectalternativename
"DNS:*.ssd.hursley.ibm.com URI:https://sv1shared4-cl.ssd.hursley.ibm.com,email:support@ibm.com;
IP:9.71.48.46\nIP:9.71.49.35\tIP:9.71.49.46\rIP:9.71.49.44\r\nIP:9.71.49.39;DNS:sv1shared4-cl.ssd.hursley.ibm.com,
DNS:sv1shared4-n1.ssd.hursley.ibm.com DNS:sv1shared4-n2.ssd.hursley.ibm.com\rDNS:sv1shared1-n1.ssd.hursley.ibm.com
\nDNS:sv1shared1-n2.ssd.hursley.ibm.com IP:2001:DB8:85A3:0:0:8A2E:370:7334"
The detailed resulting output
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.ssd.hursley.ibm.com, URI:https://sv1shared4-cl.ssd.hursley.ibm.com, email:support@uk.ibm.com,
IP Address:9.71.48.46, IP Address:9.71.49.35, IP Address:9.71.49.46, IP Address:9.71.49.44,
IP Address:9.71.49.39, DNS:sv1shared4-cl.ssd.hursley.ibm.com, DNS:sv1shared4-n1.ssd.hursley.ibm.com,
DNS:sv1shared4-n2.ssd.hursley.ibm.com, DNS:sv1shared1-n1.ssd.hursley.ibm.com, DNS:sv1shared1-n2.ssd.hursley.ibm.com,
IP Address:2001:DB8:85A3:0:0:8A2E:370:7334