Importing console SSL certificates and keys

You can import console X.509 certificates and keys.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.You can use the console, the command line interface, or the REST API to complete this task. For the command line and REST API information, see the Related information section.

About this task

As a security administrator, you can import your console Secure Sockets Layer (SSL) certificates and keys into the system without any assistance from an IBM® service representative. You can also restore the original console SSL certificate and key that was in system before they were updated.
Use the following steps to restore the original SSL certificate that was created during the initial system setup:
  1. Click Security and access > System Security.
  2. Click Console Certificate.
  3. Click Restore Original Certificate.
  4. Click Restore. The following message displays on the console:
    Your settings were changed successfully
    About ten seconds after the request is complete, the console restarts and an information event indicating that the certificate was updated is logged.
  5. Click the web browser refresh icon to confirm that the updated Platform System Manager is working properly.

If you previously updated the certificate and key files using a different manual process and you perform these steps, the certificate and key files that are restored will be those that you manually updated, not the original ones that were provided with the system.

Procedure

Use the following steps to import a self-signed SSL certificate or a SSL certificate chain:

  1. Click Security and access > System Security.
  2. Click Import Certificate and Key.
  3. In the Server Certificate File field, browse to and select the certificate file that you want to import. Certificate files should be in privacy enhanced mail (PEM) format.
    Note: Certificate files in PEM format cannot contain any extended property information and should contain a single encoded certificate, similar to the following example:
    -----BEGIN CERTIFICATE-----   
    MIICHTCCAYYCAxAAATANBgkqhkiG9w0BAQQFADBqMQwwCgYDVQQKEwNUR1AxCjAI
    ...   
    -----END CERTIFICATE-----
  4. In the Private Key File field, browse to and select the key file that you want to import. The key file should be in PEM format.
    The first few lines of a valid key file in PEM format look similar to the following example:
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA0RLL5O6Or3PsiigRwekXlibcfw4At6E4vqbdhbAB/ErfV/gi
  5. If the private key is encrypted with a passphrase, click Private Key Passphrase and type the passphrase into each input field to ensure that it is typed correctly.
  6. If you are importing a certificate chain, click Certificate Chain File, browse to and select the chain file you want to import. The chain file should contain only the root and/or intermediate CA certificates necessary to complete the chain of trust. The server certificate should not be included in the chain file.
  7. Click Import.
    If the files are successfully uploaded, the following message displays on the console:
    Your settings were changed successfully
    About ten seconds after successfully uploading, the files are validated and applied to the server. If the certificate is valid and successfully applied, the console restarts and an informational event indicating that the console certificate was updated is logged. If the certificate is not valid, an appropriate error event is logged and the existing certificate is retained.
  8. Click the web browser refresh icon to confirm that the updated Platform System Manager is working properly.