Updating or creating an internally signed partition certificate

You can create an internally signed partition certificate by using the management GUI or command-line interface (CLI).

Using the management GUI

To configure an internally signed partition certificate, complete these steps:
  1. If the root certificate has not already been exported, export the root certificate to other systems, web browsers, and devices that require secure communications with the system. For more information, see Export partition certificate.
  2. In the management GUI, select Settings > Security > Certificates.
  3. On the Certificates page, the certificate details are displayed.
    Automatic renewal of the system certificate

    The partition certificate can be renewed automatically if it is signed by the system root CA. Turn automatic renewal on by going to Settings > Security > Certificates > Go to the particular certificate and set automatic renewal to On. The default validity period of the system certificate is one year. If automatic renewal is On, the system certificate is renewed thirty days before the expiry date. If the validity period of the system certificate is fewer than thirty days, the system attempts renewal during its next scheduled check (performed every eight hours).

    The renewed certificate contains all of the same field values, key type and validity period details as the previous certificate.

  4. Go to any partition certificate, click the overflow menu and select Replace or click Create and then select the scope of the certificate from the drop-down menu.
  5. Select Internally Signed Certificate for the certificate type.
  6. If you are already using certificates, the Certificate Details are automatically populated. You can update any of the following details:
    Key type
    Select the cryptographic key type that is used to generate the certificate.
    Validity days
    Enter the number of days the certificate is valid for. The maximum number of days that are allowed is 9000.
    Country
    Enter the two-letter country code or location, for example, 01 for US.
    State
    Enter the name of the state where the system requesting the certificate is located.
    City
    Enter the name of the city where the system is located.
    Organization name
    Enter the name of the organization.
    Organizational unit
    Enter the name of organizational unit.
    Common name
    Common name is UUID of current partition.
    Subject alternative name
    Subject alternative name is the IP address of the current partition.
    Subject Alternate Name field:
     
IP:196.192.0.20
    Email Address
    Enter the email address.
  7. Click Create and install. The certificate is updated in the main panel.

Using the command-line interface (CLI)

To generate an internally signed partition certificate that uses RSA 2048 key type and expires in one year, enter the following command: 
svctask mkpartitioncertstore -systemsigned -partition partition0 -commonname BC30C5EB-FAB9-59FE-9880-5F7F479753B8 -country GB -locality Manchester -org IBM -orgunit Systems -email certificates@support.ibm.com -keytype rsa2048 -validity 365 -subjectalternativename "IP:192.165.10.15"
For more information, see the mkpartitioncertstore CLI command.