Generating and modifying self-signed certificates
If your current self-signed certificate expires or is about to expire, you can generate a new self-signed certificate for the system by using the management GUI or command-line interface (CLI).
Note: Updating the self-signed certificate logs you out of the
current session, requiring a fresh login. Features that use certificate authentication (for example,
encryption key servers, IP quorum, secured IP partnerships, multifactor authentication with IBM
Security Verify) cannot establish a secure connection when the self-signed certificate is renewed.
The new self-signed certificate must be exported and added to other devices to re-establish a secure
connection.
Using the management GUI
Use the following steps to generate a self-signed certificate from the management GUI.
- To generate a new self-signed certificate
- In the management GUI, select and select self-signed certificate and complete the form.
- To modify an existing self-signed certificate
-
Note: Updating the self-signed certificate logs you out of the current UI session, requiring a fresh login.To modify an existing self-signed certificate:
- From the Update Certificate page, update the Subject Alternate
Name field.For example, if the system has a single DNS server, enter DNS:dns.myco.com in the box of the Subject Alternate Name field. For multiple values, list each value on a separate line within the box of the Subject Alternate Name field:
DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com Email:support@myco.com - Click Update.
- From the Update Certificate page, update the Subject Alternate
Name field.
Using the command-line interface (CLI)
Use the following steps to generate a self-signed certificate in the command line interface.
To create a self-signed certificate that uses RSA 2048 key type and expires
in one year, enter the following command:
chsystemcert -mkselfsigned -keytype rsa2048 -validity 365The Chrome browser, and other browsers, require a Subject Alternative Name, which is an extension to the Internet standard for public key certificates. The Subject Alternative Name extension is used to match the domain name and site certificate and can be an email address, an IP address, a URI, or a DNS name. A certificate can contain a collection of these values so that the certificate can be used on multiple sites.
Note: You
must use the -subjectalternativename parameter to include the management hostname or IP
address.
For example, to add a DNS name to the
Subject Alternative Name extension, include the following parameter in the
chsystemcert CLI command: -subjectalternativename
"DNS:dns.mysystem.com" For multiple values, use a recommended delimiter to separate each
entry for the -subjectalternativename parameter.
Delimiters can be mixed:
For more information about supported delimiters, see the chsystemcert CLI command.
Delimiters can be mixed:
| Delimiter Name | Symbol | Example |
|---|---|---|
| Space | (space) | -subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com email:support@myco.com" |
| Comma | (,) | -subjectalternativename "DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com" |
| Semi-colon | (;) | -subjectalternativename "DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com" |
| Newline (for Linux® or UNIX operating systems) | (\n) | -subjectalternativename "DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com" |
| Tab (for Linux or UNIX operating systems) | (\t) | -subjectalternativename "DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com" |
| Carriage return (for Windows operating systems) | (\r) | -subjectalternativename "DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com" |
| Carriage return with newline (for Windows operating systems) | (\r\n) | -subjectalternativename "DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com" |