apcertmgmt command

The apcertmgmt command updates the platform manager certificate for SSL communication for ETCD server, and X509 certificate for HTTPS in REST API. The command is used for custom certificates only.

If you are using IBM provided certificates, read Platform Manager certificate patch release notes.
Platform manager uses two communication interfaces using TLS:
  • internal cluster communication (ETCD server, client and peer)
The certificates are updated automatically during upgrade. However, if the system was not upgraded for a long time, the certificates might expire and, as a result, platform manager will stop working. You can use the apcertmgmt command to renew the certificates.


 apcertmgmt [-h] [-q] [-c <cert>] [-k <key>] [-vl [-c <cert>] [-k <key>]]


Shows command help and exits.
Certificates are created and no confirmation is required.
-c|--cert <cert>
Specifies a path to the file with certificate for HTTP REST server.
-k|--key <key>
Specifies a path to the file with key for HTTP REST server.
Check if the provided certificate and key files are valid and usable for HTTP REST server. Both key and cert parameters must be provided for validation.

When used with no arguments, the command runs in interactive mode and it propagates the provided certificates, or creates new certificates for ETCD server, client and peer (internal cluster communication).

When used with [-c <cert>] [-k <key>] arguments, it propagates the provided certificate or key for the HTTP REST server.

When used with -vl [-c <cert>] [-k <key>], it checks if the provided certificate and key files are valid and usable for HTTP REST server.

To run the command, the system must be in state Active, that is, with the platform manager running and system application stopped. Depending on the state your system is in, you can run apstop -a to stop the system application, or apstart -p to start the platform manager only.

For more information on running the command, see Running apcertmgmt to update certificates.