mkpartitioncertstore
Use the mkpartitioncertstore command to create the Secure Sockets Layer (SSL) certificate or certificate signing requests (CSR) for specific partition.
Syntax
Parameters
- (Optional) Generates a system signed SSL certificate.
- (Optional) Generates a new certificate signing request in /dumps/partition_certificate_slot_<partitionid>.csr. The file can be copied from the system and provided to a trusted third-party certificateauthority. The certificate authority signs the request and provides a signed certificate that can be installed using the -install and -file parameters.
- -partition partition_name | partition_id| partition_uuid
- (Optional) Specifies the name or ID or UUID for which a certificate is created or installed.
- -country country
- (Optional) Specifies the two digit country code.
- -state state
- (Optional) Specifies the state information for the certificate request.
- -locality locality
- (Optional) Specifies the locality information for the certificate request.
- -org organization
- (Optional) Specifies the organization information for the SSL certificate.
- -orgunit organizationunit
- (Optional) Specifies the organization unit information for the SSL certificate.
- -commonname commonname
- (Optional) Specifies the common name server or hostname.
- -email email
- (Optional) Specifies the email address that is used in the SSL certificate.
- -subjectalternativename subject_alternative_name
- (Optional) This parameter allows value to be specified for the Subject Alternative Name certificate extension field permitted in X.509 version 3 certificates. You can specify this parameter only with, -mksystemsigned or -mkrequest options. The parameter can specify a value up to 512 characters in length. To include some characters such as whitespace, newline or other special characters, apply the appropriate bash command line modifications to ensure the value is specified correctly. This is particularly important if non-character delimiters are used to specify multiple alternative names.
- -keytype keytype
- (Optional) Specifies the SSL certificate key type.
- rsa2048
- ecdsa384
- ecdsa521
- rsa4096
- -validity days
- (Optional) Specifies the number of days (
19000) that the internally-signed certificates is valid.
- -autorenew yes | no
- (Optional) Turns automatic renewal on or off. When turned on, the system certificate will be renewed automatically 30 days before it expires. The -autorenew option is only supported when the certificate is signed by the system's root certificate authority. The default value when using an internally signed certificate is yes.
Description
Use this command to manage the SSL certificate that is installed on a system. The command can be
used for the following items.
- Generate an internally-signed certificates that is signed by the system's root certificate authority (CA). The root certificate has a long validity period and can be installed on browsers, devices and applications that support chain of trust checking. Internally-signed certificates can be renewed automatically.
- Create a certificate signing request which is copied from the system and sent to an external certificate authority to sign.
Important: You must specify one of the following parameters:
- -systemsigned
- -externalsigned
Note: Following are few restrictions with respect to partition specific certificate:
- Partition cannot be removed if any certificate is associated with it.
- HA policy cannot be configured for a partition if certificate is associated with it.
- If any existing HA policy is configured for partition then certificate can not be associated with it.
An invocation example
The following example shows creating a new system certificate for partition id 0 that is signed by the system's internal root CA with automatic renewal enabled:
svctask mkpartitioncertstore -systemsigned -partition 0 -commonname abc-xyz-123 -country GB -locality Manchester -org IBM -orgunit Systems -email support@ibm.com -keytype rsa2048 -validity 355 -subjectalternativename IP:xyz.xx.x.xyz
The resulting output
Partition certificate store Object, id [0], successfully created.
