chsystemcert

Edit online

Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a system.

Syntax

Read syntax diagramSkip visual syntax diagram chsystemcert -mkselfsigned-mkrequest-subjectalternativenamesubject_alternative_name-install-export-countrycountry-statestate-localitylocality-orgorganization-orgunitorganizationunit-emailemail-commonnamecommonname-keytypekeytype-validitydays-fileinput_file_pathname

Parameters

-mkselfsigned
(Optional) Generates a self-signed certificates SSL certificate. If you do not specify -mkselfsigned, you must specify -mkrequest, -export, or -install.
-subjectalternativename subject_alternative_name
(Optional) If specified, this parameter allows free-form input data for the Subject Alternative Name field of the self-signed certificates and the certificate signing request. The new information is included under Requested Extensions and under the subsection X509v3 Extensions: Subject Alternative Name. You can specify this parameter only with -mkselfsigned or -mkrequest. The value can be an ASCII string in the range 0 - 512 characters.
-country country
(Optional) Specifies the two digit country code.
-state state
(Optional) For -mkselfsigned, this parameter specifies the state information for the self-signed certificates. The value can be an ASCII string in the range 0 - 128 characters.
-locality locality
(Optional) For -mkselfsigned, this parameter specifies the locality information for the self-signed certificates. The value can be an ASCII string in the range 0 - 128 characters.
(Optional) Specifies the locality information for the certificate request. The value can be an ASCII string in the range 0 - 128 characters.
-org organization
(Optional) For -mkselfsigned, this parameter specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
(Optional) Specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-orgunit organizationunit
(Optional) For -mkselfsigned, this parameter specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
(Optional) Specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-email email
(Optional) For -mkselfsigned, this parameter specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
(Optional) Specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-commonname commonname
(Optional) For -mkselfsigned, this parameter specifies the common name for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
(Optional) Specifies the common name for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-validity days
(Optional) Specifies the number of days (1-9000) that the self-signed certificates is valid.
-keytype keytype
(Optional) Specifies the SSL certificate key type.
  • rsa2048
  • ecdsa384
  • ecdsa521
-file input_file_pathname
(Optional) Specifies the absolute path name of the certificate to install.
-install
(Optional) Specifies the installing of certificate.
-export
(Optional) Exports the full chain of installed SSL certificates. The certificate is exported to the /dumps/certificate.pem directory on the configuration node.
-force
(Optional) Specifies that the certificate request can be deleted.

Description

Use this command to manage the SSL certificate that is installed on a system. The command can be used for the following items.
  • Generate an self-signed certificates that is signed by the system's root certificate authority (CA). The root certificate has a long validity period and can be installed on browsers, devices and applications that support chain of trust checking. Self-signed certificates can be renewed automatically.
  • Create a certificate signing request which is copied from the system and sent to an external certificate authority to sign.
  • Install an externally signed certificate on to the system.
  • Export the full chain of installed certificates.
Important: You must specify one of the following parameters:
  • -mkselfsigned
  • -mkrequest
  • -install
  • -export

An invocation example to create a self-signed certificates certificate

chsystemcert -mkselfsigned

The resulting output

No feedback.

An invocation example to create a self-signed certificates with a common name

chsystemcert -mkselfsigned -commonname weiland.snpp.com

The resulting output

No feedback.

An invocation example to create a self-signed certificates with a key type and a 1-year validity period

chsystemcert -mkselfsigned -keytype ecdsa521 -validity 365

The resulting output

No feedback.

An invocation example

The following example shows how to create a certificate signing request for an external certificate authority:

chsystemcert -mkrequest -country GB -state England -locality Manchester -org IBM -orgunit 
Storage -email support@ibm.com -commonname xxx.xxx.x.xxx -subjectalternativename "DNS:test-cluster.ibm.com DNS:test-node1.ibm.com 
DNS:test-node2.ibm.com IP:xxx.xxx.x.xxx IP:xxx.xxx.x.xxx IP:xxx.xxx.x.xxx"

The detailed resulting output

No feedback.

An invocation example

svctask chsystemcert -mkselfsigned -country GB -state England -locality Manchester
 -org IBM -orgunit Systems -commonname x.xx.xx.xx -email support@ibm.com -subjectalternativename
 "DNS:*.ssd.hursley.ibm.com URI:https://sv1shared4-cl.ssd.hursley.ibm.com,email:support@ibm.com;
IP:x.xx.xx.xx\nIP:x.xx.xx.xx\tIP:x.xx.xx.xx\rIP:x.xx.xx.xx\r\nIP:x.xx.xx.xx;DNS:sv1shared4-cl.ssd.hursley.ibm.com,
DNS:sv1shared4-n1.ssd.hursley.ibm.com DNS:sv1shared4-n2.ssd.hursley.ibm.com\rDNS:sv1shared1-n1.ssd.hursley.ibm.com
\nDNS:sv1shared1-n2.ssd.hursley.ibm.com IP:xxxx:xxx:xxxx:x:x:xxxx:xxx:xxxx"

The detailed resulting output

No feedback.