Certificate CLI Commands
Use the certificate commands to create a certificate signing request (CSR), and to install server certificates, CA (certificate authority) certificates, or trusted path certificates on the Guardium® system.
Certification Expiration
Expired certificates result in a loss of function. Run the show certificate warn_expire command periodically to check for expired certificates. The command displays certificates that expire within six months and already-expired certificates. The user interface also informs you of certificates that are due to expire. To see a summary of all certificates, run the command show certificate summary.
New Certificates
To obtain a new certificate, generate a certificate signed request (CSR) and contact a third-party certificate authority (CA) such as VeriSign or Entrust. Guardium does not provide CA services and does not ship systems with different certificates than the ones that are installed by default. The certificate format must be in PEM and include BEGIN and END delimiters. You can either paste the certificate from the console or import it through one of the standard import protocols.
create csr
Creates a certificate signing request (CSR) for the Guardium system. Do not create the CSR until after the system network configuration parameters are set. Within the generated CSR, the common name (CN) is created automatically from the host and domain names assigned.
Parameters
create csr alias [rfc7468]
Creates a certificate signing request CSR for a supplied alias.
create csr external_stap [rfc7468]
Creates a CSR for a Guardium External S-TAP® Docker container. After a certificate is signed and stored, you can deploy the External S-TAP to monitor traffic from databases in the cloud or in other situations in which you cannot use a local agent.
create csr gim client [rfc7468]
Creates a CSR with the alias gim in the GIM client keystore. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.
create csr gim server [rfc7468]
Creates a CSR with alias gim for the GIM server certificate. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.
create csr gui
Creates a CSR for the GUI.
create csr gui [custom-dn | rfc7468]
- custom-dn - Creates a CSR for the GUI with a custom distinguished name
(DN). The DN is a name that uniquely identifies an entry and includes a slash-separated (/) string
of identifiers. For example:
/C=US/OU=Guardium Appliances/OU=Example/CN=mycompany.com
The DN must be ASCII-encoded and end with a CN (common name) entry.
- rfc7468 - Creates a CSR for the GUI with RFC7468 formatting.
create csr insights
Creates a CSR for IBM® Security Guardium Insights.
create csr mysql
Creates a CSR for a MySQL certificate.
create csr saml
Creates a CSR for SAML certificates.
create csr sniffer
Creates a CSR for sniffer.
create csr sniffer custom-dn
/C=US/OU=Guardium Appliances/OU=Example/CN=mycompany.com
The DN must be ASCII-encoded and end with a CN (common name) entry.
create csr wildcard [rfc7468]
Generates a wildcard CSR certificate. For example, if your site has machines
that are named nyc.yourdomain.com, la.yourdomain.com, and tokyo.yourdomain.com, use a wildcard
certificate to specify the hostname with an asterisk (*) wildcard. The wildcard creates a
certificate that is valid for all three machines. For example, *.yourdomain.com
.
- On the central manager (in a managed environment), run the create csr wildcard command.
- Copy the CSR into a file and get it signed by a CA.
- Store the signed certificate by using the store certificate gui CLI command. The certificate must be in PEM format in order to import it into the Guardium appliance. Make sure that you have the root CA available.
- In a centrally managed environment, add the certificate to each managed unit,
- Store the root CA by running the store certificate keystore CLI command on the managed unit that uses the same root CA as you used for the central manager.
- Store both the certificate and the private key with the store certificate privatekey
gui command with the same wildcard certificate that you used for the central manager.
Note: Use the show csr wildcard CLI command to view the privatekey.
Syntax
- create csr alias [rfc7468]
- create csr external_stap [rfc7468]
- create csr gim [client | server] [rfc7468]
- create csr gui [custom-dn | rfc7468]
- create csr insights
- create csr mysql
- create csr saml
- create csr sniffer [custom-dn]
- create csr wildcard [rfc7468]
Show command
show csr wildcard key
create self-signed gui
Use this command to manually create a self-signed certificate that uses the fully qualified domain name (FQDN) of the Guardium system. Before you use this command, set the hostname and domain name.
Syntax
create self-signed gui <force>
The parameter force creates a new self-signed certificate even if a certificate exists on the Guardium system. Nondefault certificates are removed.
delete certificate
Use this command to remove SSL certificates that are expired or revoked.
For more information about restoring certificates, see restore certificate keystore.
Parameters
Syntax
delete certificate <external_stap | external_stap_signing | keystore>- external_stap displays all of the available certificates for the External S-TAP.
- external_stap_signing displays aliases of all available intermediate certificates for External S-TAP and prompts you to select the certificate to delete.
- keystore displays all certificates in the certificate keystore.
When prompted, select the number of the certificate to delete. To delete more than one certificate, enter a comma-separated list of the certificate numbers.
distribute certificate showlog
Use this command to view the certificate distribution log.
Syntax
distribute certificate showlog <all | fail | success>- all displays all the lines in the distribution log.
- fail displays the lines with failures and warnings only.
-
success displays the lines with success only.
restore certificate
Parameters
Restores the Guardium Insights certificate to either the default certificate keystore or to the last saved certificate keystore.
Restores the certificate keystore to the last certificate keystore on record or the default certificate keystore that was originally provided.
- restore certificate keystore backup
Restores the certificate keystore to the last saved certificate keystore.
- restore certificate keystore default
Restores the certificate keystore to the default value that was supplied with the system.
restore certificate mysql backup <client <ca|cert> | server <ca|cert> >
Restores the last saved MySQL certificate. Specify which certificate you want to restore; the client or server certificate and the certificate authority (CA) or client certificate.- restore certificate mysql backup client ca
Restores the last saved client certificate authority (CA) certificate.
- restore certificate mysql backup client cert
Restores the last saved client certificate.
- restore certificate mysql backup server ca
Restores the last saved server certificate authority (CA) certificate.
- restore certificate mysql backup server cert
Restores the last saved server certificate.
Restores the certificate to either the last saved sniffer certificate (the backup) or the default certificate.
- restore certificate insights < default | last >
- restore certificate keystore <backup | default>
- restore certificate mysql backup <client | server> <ca | cert>
- restore certificate sniffer <backup | default>
restore cert_key
Restores the MySQL client or server certificate key to the last saved value.
Restores the sniffer certificate key to the last saved certificate key (backup) or the default sniffer certificate key.
Syntax
restore cert_key mysql backup <client | server>
restore cert_key sniffer <backup | default>
show certificate
Displays the summary of all certificates, certificate information, alias list, certificates in the keystore, and expired or soon-to-expire certificates.
This certificate authenticity can be verified by a Guardium CA public key (contained in the CA certificate that is distributed with the client software). The certificate has either a customer company-unique CN (Common Name - for example, acme.com), or a machine-specific CN (for example x4.acme.com). This permits any client to establish that the Guardium system has a valid certification (it is a real Guardium system), but also that it is a specific Guardium system (or a set of Guardium systems) that the client is supposed to connect to.
Parameters
show certificate all
Displays all the certificates on the Guardium appliance.
show certificate external_stap
Displays a summary of External S-TAP certificates, including certificate information, alias, certificates in the keystore, and expired or soon-to-expire certificates.
show certificate external_stap_signing
Displays a summary of External S-TAP intermediate certificates, including certificate information, alias names, certificates in the keystore, and expiration information.
show certificate gim client
Displays the GIM client certificate or certificates.
show certificate gim server
Displays the GIM server certificate.
show certificate gui
Displays the GUI certificate.
show certificate insights
Displays all Guardium Insights certificates that are stored in the Guardium Insights keystore
show certificate keystore alias
Displays a list of certificates. Select a certificate from the list to display its alias.
show certificate keystore all
Displays all the certificates in the Guardium keystore.
show certificate mysql client
Displays the MySQL client certificate.
show certificate mysql server
Displays the MySQL server certificate.
Displays the SAML certificate.
show certificate sniffer
Displays the sniffer certificate.
show certificate starttls
Displays an existing starttls certificate.
show certificate summary
Displays a summary of all certificates on the Guardium appliance.
show certificate trusted
Displays all trusted certificate information.
show certificate warn_expired
Displays all expired certificates or certificates that expire in 6 months.
show certificate wkc
Displays the certificate that is required for IBM Knowledge Catalog integration.
- show certificate all
- show certificate external_stap
- show certificate external_stap_signing
- show certificate gim <client | server>
- show certificate gui
- show certificate insights
- show certificate keystore <alias | all>
- show certificate mysql <client | server>
- store certificate saml
- show certificate sniffer
- show certificate starttls
- show certificate summary
- show certificate trusted
- show certificate warn_expired
- show certificate wkc
store certificate
Stores a certificate. Follow the directions to paste your certificate (in PEM format) and include the BEGIN and END lines.
All certificates except for GIM client and GIM server are merged into the main keystore during the store certificate operation.
Parameters
store certificate allowlist_external_stap
For the External S-TAP, stores trusted certificates. For more information, see Client and server certificate verification.
store certificate blocklist_external_stap
For the External S-TAP, store certificates that you know cannot be trusted. For more information, see Client and server certificate verification.
For managing GUI and GIM certificates by using the Venafi certificate management system. For more information, see Managing certificates by using Venafi.
store certificate custom_keystore_external_stap
Store certificates in the custom keystore to verify that the External S-TAP communicates only with trusted clients and servers. For more information, see Client and server certificate verification.
store certificate external_stap
Stores the signed External S-TAP certificate into the corresponding keystore. For more information, see External S-TAP.
store certificate external_stap_signing
Stores the signed intermediate External S-TAP certificate into the corresponding keystore. For more information, see External S-TAP.
store certificate gim client [auto-generate|console|external]
Stores the signed GIM client certificate into the corresponding keystore and prepares it for distribution. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution. Unlike all other certificates, storing the GIM client certificate does not affect the main keystore. Instead, the GIM client keystore is saved in a custom keystore that can be distributed to registered GIM clients.
Use auto-generate to generate and distribute selected GIM client certificates. You can generate only SHA-1 certificates. You do not need to use this command to generate SHA-256 certificates.
store certificate gim server [console|external]
Stores the signed GIM server certificate into the keystore. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.store certificate gui
Stores a GUI certificate in the keystore.
store certificate insights [console | external | trusted]
- console - Paste the certificate to the console.
- external - Import an externally generated certificate.
- trusted - Paste a trusted CA certificate to the console.
store certificate keystore_external_stap
Stores root and intermediate trusted certificates, which are used to sign External S-TAP certificates.
store certificate keystore [alias | trusted | trusted-venafi] [console|external]
Store certificates on the keystore. You can store the certificate alias, a trusted certificate, or a trusted Venafi certificate. Specify trusted to store CA certificates for TLS validation.
store certificate mysql
Stores MySQL client and server certificates. For both client and server certificates, specify Specify ca to store certificate authority (CA) certificates. Specify cert to store client or server default certificates.
- store certificate mysql client <ca|cert> [console|external]
Stores MySQL client certificates.
- store certificate mysql server <ca|cert> [console|external]
Stores MySQL server certificates.
Storing certificates with private key
The following commands overwrite self-signed GUI, GIM, and Insights certificates with private keys in the keystore.
Certificates and private keys must be in PEM format.
Certificates start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----"
Private keys start with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"
PEM certificates can also be imported by using the GUI. For more information, see Importing a PEM certificate.
store certificate privatekey gim [console | external]
Stores GIM self-signed certificate and private key in the keystore.
store certificate privatekey gui [console | external]
Stores GUI self-signed certificate and private key in the keystore.
store certificate rsa_securid console
Stores a certificate for RSA SecurID multi-factor authentication. The certificate verifies the RSA SecurID Authentication Manager. Run this command on a central manager. SSH authentication is required for SSH logins with RSA SecurID. The certificate must be in PEM format.
For more information, see Configuring multi-factor authentication with RSA SecurID.
store certificate saml
Stores SAML certificates.
Stores the certificate for the CVE scanner agent. For more information, see Configuring vulnerability scanner agents.
store certificate sniffer
Stores sniffer certificates.
store certificate starttls [console | external]
Store a trusted certificate in the keystore to support an encrypted TLS connection.
store certificate wkc [console | external]
- store certificate allowlist_external_stap
- store certificate blocklist_external_stap
- store certificate cms
- store certificate custom_keystore_external_stap
- store certificate external_stap
- store certificate external_stap_signing
- store certificate gim client [auto-generate|console|external]
- store certificate gim server [console|external]
- store certificate insights [console|external|trusted]
- store certificate keystore <alias | trusted> [console|external]
- store certificate keystore_external_stap
- store certificate mysql client <ca|cert> [console|external]
- store certificate mysql server <ca|cert> [console|external]
- store certificate privatekey <gim | gui > [console|external]
- store certificate rsa_securid console
- store certificate saml
- store certificate scanner ca_bundle
- store certificate sniffer
- store certificate starttls [console | external]
- store certificate wkc [console | external]
store cert_key mysql
Stores the certificate key of a MySQL client or server. Specify console to paste the key into the console. Specify to import the key file from an external source.Specify to import the key file from an external source.
Parameters
Use the following parameters to store the certificate key of a MySQL client:
store cert_key mysql client [console|external]
Use the following parameters to store the certificate key of a MySQL server:
store cert_key mysql server [console|external]
store cert_key sniffer
Stores the system certificate key. This command enables a user to set the system certificate that is used by the Guardium system (in communication with S-TAP). The certificate can either be pasted from the console or imported through one of the standard import protocols. Use the PEM certificate format and include the BEGIN and END delimiters. This certificate needs to be signed by a CA whose self-signed certificate is available to S-TAP software through the guardium_ca_path.
Parameters
store cert_key sniffer console
Stores the sniffer certificate key by pasting the key into the console.
store cert_key sniffer external
Stores the sniffer certificate key by importing the key file from an external source.
Syntax
store cert_key sniffer <console | external>
Backup and Default Options
You can choose to restore certificates and certificate keys with the backup or default parameter. Use the backup parameter to restore a certificate to the last saved certificate. Use the default parameter to restore a certificate to the original certificate that Guardium supplied.
Certificate Expiration Dates and Summary Commands
Run the show certificate warn_expire command periodically. This command warns you of certificates that expire in six months and displays a list of expired certificates. For more information, see the show certificate CLI command. To show a summary of all certificates, run the CLI command show certificate summary. Run the commands periodically to review certificate expiration dates.