Creating OpenSSL certificates for Crypto Express Network API for Secure Execution Enclaves

The following certificates must be created for mTLS:

Filename Description
%prefix%-ca.pem CA root certificate
%prefix%-ca.key CA root key
%prefix%-server.key mTLS server key
%prefix%-cert.pem mTLS server certificate
%prefix%-server.csr Certificate Signing request file for server
%prefix%-client.key client key for connection with target server
%prefix%-client.pem client certificate for connection with target server
%prefix%-client.csr Certificate Signing request file for client

Note: The %prefix% must be replaced by c16server or rsyslog in real usage.

Preparing required mutual TLS certificate by using OpenSSL (self-signed certificates)

  1. Create a CA signed certificate and keygen

      1. Generate the CA key by running the following command
        openssl genrsa -out %prefix%-ca.key 2048

      1. Generate CA root certificate by running the following command

        openssl req -new -x509 -key %prefix%-ca.key -days 730 -out %prefix%-ca.pem

        Note: Input Distinguished Names of your certificates, ensure 'CN'('Common Name') is correct and reachable, eg. Add [-subj "/C=US/ST=California/L=Los Angeles/O=IBM/CN= "]

      1. Generate Server Key for CA root certificate by running the following command
        openssl genrsa -out %prefix%-server.key 2048

  2. Export the COMMON_NAME (fully qualified domain name), path length, and Subject Alternative Name (to indicate all of the domain names and IP addresses that are secured by the certificate)

    export COMMON_NAME=%prefix%.example.com
export PATHLEN=CA:true
export SUBJECT_ALT_NAME=DNS:<domain-name:port>,IP:<ip>
e.g. export SUBJECT_ALT_NAME=DNS.1:%prefix%.example.com:6514,DNS.2:127.0.0.1:6514, DNS.3:localhost:6514, IP.[IP of %prefix%.example.com], IP.2:127.0.0.1

  3. Create the openssl.cnf file and copy the content given below

Example of `openssl.cnf`:
# OpenSSL configuration file.
 #
 # Establish working directory.
 dir   = .
 [ ca ]
 default_ca  = CA_default
 [ CA_default ]
 serial   = $dir/serial
 #database  = ${ENV::DIR}/index.txt
 #new_certs_dir  = $dir/newcerts
 #private_key       = $dir/ca.key
 #certificate       = $dir/ca.cer
 default_days  = 730
 default_md  = sha256
 preserve  = no
 email_in_dn  = no
 nameopt   = default_ca
 certopt   = default_ca
 default_crl_days = 45
 policy   = policy_match
 [ policy_match ]
 countryName  = match
 stateOrProvinceName = optional
 organizationName = match
 organizationalUnitName = optional
 commonName  = supplied
 emailAddress  = optional
 [ req ]
 default_md  = sha256
 distinguished_name = req_distinguished_name
 prompt             = yes
 [ req_distinguished_name ]
 #countryName = Country
 #countryName_default = US
 #countryName_min = 2
 #countryName_max = 2
 #localityName = Locality
 #localityName_default = Los Angeles
 #organizationName = Organization
 #organizationName_default = IBM
 #commonName = Common Name
 #commonName_max = 64
 C  = US
 ST = California
 L  = Los Angeles
 O  = IBM
 CN = ${ENV::COMMON_NAME}
 [ certauth ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
 basicConstraints = ${ENV::PATHLEN}
 #crlDistributionPoints = @crl
 [ server ]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 nsCertType = server
 crlDistributionPoints = @crl
 subjectAltName = ${ENV::SUBJECT_ALT_NAME}
 [ client ]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = clientAuth,msSmartcardLogin
 nsCertType = client
 crlDistributionPoints = @crl
 authorityInfoAccess = @ocsp_section
 subjectAltName = @alt_names
 [ selfSignedServer ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 basicConstraints = CA:FALSE
 subjectAltName = ${ENV::SUBJECT_ALT_NAME}
 extendedKeyUsage = serverAuth
 [ selfSignedClient ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 basicConstraints = CA:FALSE
 subjectAltName = @alt_names
 extendedKeyUsage = clientAuth
 [ server_client ]
 subjectKeyIdentifier = hash
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment
 basicConstraints = CA:FALSE
 subjectAltName = ${ENV::SUBJECT_ALT_NAME}
 crlDistributionPoints = @crl
 extendedKeyUsage = serverAuth,clientAuth
 [ v3_intermediate_ca ]
 # Extensions for a typical intermediate CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, ${ENV::PATHLEN}
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 crlDistributionPoints = @crl
 authorityInfoAccess = @ocsp_section
 [ crl ]
 URI=http://localhost/ca.crl
 [ ocsp_section ]
 OCSP;URI.0 = http://localhost:2560/ocsp
 [ ocsp ]
 # Extension for OCSP signing certificates (`man ocsp`).
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, OCSPSigning
 [alt_names]
 # email= ${ENV::SUBJECT_ALT_NAME}
 otherName=msUPN;UTF8:${ENV::SUBJECT_ALT_NAME}
 [v3_conf]
 keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
 basicConstraints = CA:FALSE

  1. Create the server certificate signing request by running the following command

     openssl req -new -key %prefix%-server.key -out %prefix%-server.csr

  2. Create the server certificate by running the following command

     openssl x509 -sha256 -req -in %prefix%-server.csr -CA %prefix%-ca.pem -CAkey %prefix%-ca.key -set_serial 8086 -extfile openssl.cnf -extensions server -days 730 -outform PEM -out %prefix%-cert.pem

  3. Create the client key which will be used to connect with c16server by running the following command

     openssl genrsa -out %prefix%-client.key 2048

  4. Create the client certificate signing request by running the following command

     openssl req -new -key %prefix%-client.key -out %prefix%-client.csr

  5. Create the client certificate by running the following command.

    openssl x509 -req -days 730 -in %prefix%-client.csr -CA %prefix%-ca.pem -CAcreateserial -CAkey %prefix%-ca.key -out %prefix%-client.pem

Upload an externally signed certificate to Crypto Express Network API for Secure Execution Enclaves appliance.

Upload an external signed certificate by completing the following steps:

  1. Create leaf Certificate Signing Request (CSR) for IP/DNS hostname of Crypto Express Network API for Secure Execution Enclaves appliance

    Dictionary of Certificate Signing Request (CSR) input properties

    Name Type Description
    c String Country code
    st String State code
    o String Organization name
    ou String Organizational unit
    ca boolean Differentiates Certificate Authority(CA) and Leaf CSR. True for CA and False for Leaf.
    ip String IP address 
    POST https://{{host}}/api/com.ibm.zaci.system/certificates/v1 HTTP/1.1
zACI-API: com.ibm.zaci.system/1.0
Content-type: application/vnd.ibm.zaci.payload+json;version=1.0
Accept: application/vnd.ibm.zaci.payload+json;version=1.0
Authorization: Bearer {{login.response.body.parameters.token}}

{
   "kind":"request",
   "resource-name":"certificates",
   "resource-version":"v1",
   "parameters":{
      "ca":false,
      "c":"US",
      "o":"IBM",
      "ou":"CSL",
      "st":"California",
      "ip":"<IP/DNS of CA appliance>"
   }
}

    Expected Result with new created leaf CSR will be returned:

    {
     'kind': 'instance',
     'self': '/api/com.ibm.zaci.system/certificates/v1/',
     'resource-name': 'certificates',
     'resource-version': 'v1',
     'properties': {
         "issued-to": "C = US, ST = California, O = IBM, OU = CSL, CN = hpvs-test530066",
         "issued-by": "C = US, ST = California, L = Los Angeles, O = IBM, CN = *.*.152.177",
         'state': 'csr',
         'hostname': 'hpvs-test530066',
         'ca': false,
         "names": [
            "hpvs-test530066",
            "*.*.152.177:9001",
            "*.*.152.177"
         ],
         'id': '525091f9-18c9-4238-a4ba-3bac7d0d3d61',
         "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyjCCAbICAQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx\nDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwDQ1NMMRgwFgYDVQQDDA9ocHZzLXRlc3Q1\nMzAwNjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtN+Qw2nGBG4QP\nlT0iuX9OeRnvsUHUQYTJYGnj11vwyUrT/71RLrPYC54+khzcin1eF5M2qzpZry8Z\n3+OJTN0dPzMoVrjXYQ/zrtFrMIzK/BrmkwH6R550K/GOYBKncvs7yio0PrAZ4nsv\nSavsZTQ7cFIXQy5wjn9n2fDe1105vstA0SSsxbe653xy04A049t3Bk90WXJr1Bec\ntiH3MFkgj71qORsDHkvNl0yg/bswtuTFt/c2VedDADn8p0HEgDc8hyfMN0ts/ADz\nlS1YXWIGnk9Pv4GhTCV5wncEycJzSFy4N7DfpX5TqKSZ7bQRHWuA84iUY7HYtk28\nqsYy5R/5AgMBAAGgLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGCCWhwdnMt\ndGVzdIcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAAHL3jNfNdiW85hLFDexWvsRS\n73HSBgYPCN6f0BSIKxDBbNg9D+7CRjefzmdT6g3nncNS5ak7+RDXDjbIYced+bX2\nmQKmpappGMSIiTc3rmpdgZ0unBoSZ/Q9MAQO934KHov9g6t71LPcD3ZuVscEiqRu\n5DMODZRCP22BIXIIFC5p2jYFRmapqdDnOjq6FnxDjPmjWf1K/BEKT4YM+VUAdtYq\n4mz7NXKhhEuex5OmyclgsAEDcB8vdnh240wlB6/C5JZ5KHyPI+DJ+TE/V6crqGyI\nCJxYECiEwY1h5h7oZGcx508RQYPFQmGJRPi55+N8zHW6WVg33+B2gxv2zdu5OA==\n-----END CERTIFICATE REQUEST-----",
      }
}

    Notes:

    • Two parameters should be noted: id and csr from response above, and will be used in next steps.
    • An HTTP status code of 201 indicates a successful operation.
    • Any other HTTP status code indicates a failed operation.

  2. Save csr and generated related Certificate(crt) by your Certificate Authority(CA), then upload crt as leaf CRT to Crypto Appliance.

    PUT https://{{host}}/api/com.ibm.zaci.system/certificates/v1/{id} HTTP/1.1
Authorization: Bearer {{login.response.body.parameters.token}}
zACI-API: com.ibm.zaci.system/1.0
Accept: application/vnd.ibm.zaci.payload+json;version=1.0
Content-type: text/plain

-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgICH5YwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQwwCgYD
VQQKDANJQk0xFTATBgNVBAMMDDkuNDcuMTUyLjE3NzAeFw0yMzAzMTUxMDEwNTla
Fw0yNTAzMTQxMDEwNTlaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMQwwCgYDVQQKDANJQk0xDDAKBgNVBAsMA0NTTDEYMBYGA1UEAwwPaHB2cy10
ZXN0NTMwMDY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTfkMNpx
gRuED5U9Irl/TnkZ77FB1EGEyWBp49db8MlK0/+9US6z2AuePpIc3Ip9XheTNqs6
Wa8vGd/jiUzdHT8zKFa412EP867RazCMyvwa5pMB+keedCvxjmASp3L7O8oqND6w
GeJ7L0mr7GU0O3BSF0MucI5/Z9nw3tddOb7LQNEkrMW3uud8ctOANOPbdwZPdFly
a9QXnLYh9zBZII+9ajkbAx5LzZdMoP27MLbkxbf3NlXnQwA5/KdBxIA3PIcnzDdL
bPwA85UtWF1iBp5PT7+BoUwlecJ3BMnCc0hcuDew36V+U6ikme20ER1rgPOIlGOx
2LZNvKrGMuUf+QIDAQABo4GRMIGOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAoBgNVHR8EITAf
MB2gG6AZhhdodHRwOi8vbG9jYWxob3N0L2NhLmNybDAiBgNVHREEGzAZghE5LjQ3
LjE1Mi4xNzc6OTAwMYcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAjMHfZgMKuHQP
kL4Y1lN0QBNx+bmMxmtMK3GouU/F+z1R4F6sEJZWbE7QTIucnjKjf1o8CUhe/3fM
m+TY4GyimA5drv9xqYpTE7S2mKSLTnvBc5Fot9p/FnkTfbmABUTB4Axq68pcBtBH
F5Cpft97BpW9enCioD9jboRBE5LKo6SZpPLYvNEQzpP4r7SDVFEtT5kItvpTrB+T
GzwTJg1dV3rfeB3V54+6VoP88v+4i4Poj3W1LbtgeVgLuV60L8O2INJ8H2pmuNv3
DMvoNXQfn/9pKmKWnprMeDDfg4RmInR9Kxs11mwCiR9nBaM8nvS7PmUCHFYc+Jif
2+sY3U2BrQ==
-----END CERTIFICATE-----

    Expected Result:

    {
    'kind': 'instance',
    'self': '/api/com.ibm.zaci.system/certificates/v1/e4b6c3b4-eb65-4ca6-aca0-2773d98c6e68',
    'resource-name': 'certificates',
    'resource-version': 'v1',
    'properties': {
      "serial": "1F96",
      "fingerprint": "AE:75:1B:A8:FD:AC:EA:19:F4:D8:E6:BC:91:93:1A:04:11:5A:5A:5A",
      "issued-to": "C = US, ST = California, O = IBM, OU = CSL, CN = hpvs-test530066",
      "issued-by": "C = US, ST = California, L = Los Angeles, O = IBM, CN = *.*.152.177",
      "not-before": 1678875059,
      "crt": "-----BEGIN CERTIFICATE-----\nMIIDwzCCAqugAwIBAgICH5YwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCVVMx\nEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQwwCgYD\nVQQKDANJQk0xFTATBgNVBAMMDDkuNDcuMTUyLjE3NzAeFw0yMzAzMTUxMDEwNTla\nFw0yNTAzMTQxMDEwNTlaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y\nbmlhMQwwCgYDVQQKDANJQk0xDDAKBgNVBAsMA0NTTDEYMBYGA1UEAwwPaHB2cy10\nZXN0NTMwMDY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTfkMNpx\ngRuED5U9Irl/TnkZ77FB1EGEyWBp49db8MlK0/+9US6z2AuePpIc3Ip9XheTNqs6\nWa8vGd/jiUzdHT8zKFa412EP867RazCMyvwa5pMB+keedCvxjmASp3L7O8oqND6w\nGeJ7L0mr7GU0O3BSF0MucI5/Z9nw3tddOb7LQNEkrMW3uud8ctOANOPbdwZPdFly\na9QXnLYh9zBZII+9ajkbAx5LzZdMoP27MLbkxbf3NlXnQwA5/KdBxIA3PIcnzDdL\nbPwA85UtWF1iBp5PT7+BoUwlecJ3BMnCc0hcuDew36V+U6ikme20ER1rgPOIlGOx\n2LZNvKrGMuUf+QIDAQABo4GRMIGOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAoBgNVHR8EITAf\nMB2gG6AZhhdodHRwOi8vbG9jYWxob3N0L2NhLmNybDAiBgNVHREEGzAZghE5LjQ3\nLjE1Mi4xNzc6OTAwMYcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAjMHfZgMKuHQP\nkL4Y1lN0QBNx+bmMxmtMK3GouU/F+z1R4F6sEJZWbE7QTIucnjKjf1o8CUhe/3fM\nm+TY4GyimA5drv9xqYpTE7S2mKSLTnvBc5Fot9p/FnkTfbmABUTB4Axq68pcBtBH\nF5Cpft97BpW9enCioD9jboRBE5LKo6SZpPLYvNEQzpP4r7SDVFEtT5kItvpTrB+T\nGzwTJg1dV3rfeB3V54+6VoP88v+4i4Poj3W1LbtgeVgLuV60L8O2INJ8H2pmuNv3\nDMvoNXQfn/9pKmKWnprMeDDfg4RmInR9Kxs11mwCiR9nBaM8nvS7PmUCHFYc+Jif\n2+sY3U2BrQ==\n-----END CERTIFICATE-----",
      "not-after": 1741947059,
      "names": [
        "hpvs-test530066",
        "*.*.152.177:9001",
        "*.*.152.177"
      ],
      "state": "active",
      "hostname": "hpvs-test530066",
      "ca": false,
      "id": "525091f9-18c9-4238-a4ba-3bac7d0d3d61",
      "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyjCCAbICAQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx\nDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwDQ1NMMRgwFgYDVQQDDA9ocHZzLXRlc3Q1\nMzAwNjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtN+Qw2nGBG4QP\nlT0iuX9OeRnvsUHUQYTJYGnj11vwyUrT/71RLrPYC54+khzcin1eF5M2qzpZry8Z\n3+OJTN0dPzMoVrjXYQ/zrtFrMIzK/BrmkwH6R550K/GOYBKncvs7yio0PrAZ4nsv\nSavsZTQ7cFIXQy5wjn9n2fDe1105vstA0SSsxbe653xy04A049t3Bk90WXJr1Bec\ntiH3MFkgj71qORsDHkvNl0yg/bswtuTFt/c2VedDADn8p0HEgDc8hyfMN0ts/ADz\nlS1YXWIGnk9Pv4GhTCV5wncEycJzSFy4N7DfpX5TqKSZ7bQRHWuA84iUY7HYtk28\nqsYy5R/5AgMBAAGgLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGCCWhwdnMt\ndGVzdIcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAAHL3jNfNdiW85hLFDexWvsRS\n73HSBgYPCN6f0BSIKxDBbNg9D+7CRjefzmdT6g3nncNS5ak7+RDXDjbIYced+bX2\nmQKmpappGMSIiTc3rmpdgZ0unBoSZ/Q9MAQO934KHov9g6t71LPcD3ZuVscEiqRu\n5DMODZRCP22BIXIIFC5p2jYFRmapqdDnOjq6FnxDjPmjWf1K/BEKT4YM+VUAdtYq\n4mz7NXKhhEuex5OmyclgsAEDcB8vdnh240wlB6/C5JZ5KHyPI+DJ+TE/V6crqGyI\nCJxYECiEwY1h5h7oZGcx508RQYPFQmGJRPi55+N8zHW6WVg33+B2gxv2zdu5OA==\n-----END CERTIFICATE REQUEST-----",
      "self": "/api/com.ibm.zaci.system/certificates/v1/525091f9-18c9-4238-a4ba-3bac7d0d3d61"
   }
}

    Notes:

    • In this request, the URI variable {id} represents unique id of the certificate, and id is the response value of step 1.
    • An HTTP status code of 200 indicates a successful operation.
    • HTTP status of 409 indicates certificate is in active or expired state.
    • Any other HTTP status code indicates a failed operation.

  3. Active the uploaded leaf CRT.

    POST https://{{host}}//api/com.ibm.zaci.system/certificates/v1/{id}?action=activate
zACI-API: com.ibm.zaci.system/1.0
Accept: application/vnd.ibm.zaci.payload+json;version=1.0
Authorization: Bearer {{login.response.body.parameters.token}}

    Notes:

    • In this request, the URI variable {id} represents unique id of the certificate, and id is the response value of step 1.
    • An HTTP status code of 204 indicates that the request has been processed successfully.
    • HTTP status code of 409 will be returned when certificate to be activated is in csr, active or expired state.
    • Any other HTTP status code indicates a failed operation.

  4. Verify uploading result by retrieving the list of certificates

    GET https://{{host}}/api/com.ibm.zaci.system/certificates/v1 HTTP/1.1
zACI-API: com.ibm.zaci.system/1.0
Accept: application/vnd.ibm.zaci.payload+json;version=1.0
Authorization: Bearer {{login.response.body.parameters.token}}

    Expected Result:

    {
  "kind": "collection",
  "self": "/api/com.ibm.zaci.system/certificates/v1",
  "resource-name": "certificates",
  "resource-version": "v1",
  "instances": [
    {
      "serial": "0E4F6D887DF82AD1B557C19096836FB62C2E0339",
      "fingerprint": "F0:65:C7:1A:21:65:25:86:3C:63:FE:3D:C2:69:9F:43:7A:7A:5D:CB",
      "issued-to": "C = US, O = IBM, OU = zACI, CN = hpvs-test",
      "issued-by": "C = US, O = IBM, OU = zACI, CN = hpvs-test",
      "not-before": 1678786811,
      "crt": "-----BEGIN CERTIFICATE-----\nMIIDOjCCAiKgAwIBAgIUDk9tiH34KtG1V8GQloNvtiwuAzkwDQYJKoZIhvcNAQEL\nBQAwPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UECwwEekFDSTES\nMBAGA1UEAwwJaHB2cy10ZXN0MB4XDTIzMDMxNDA5NDAxMVoXDTI0MDMxMzA5NDAx\nMVowPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UECwwEekFDSTES\nMBAGA1UEAwwJaHB2cy10ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAyu8kIMVd5gy0qb05DwGBcIiDF7iyViku29curLBNtEnQtxRkNwOrkQL8YeQ6\np3CbvYWEBkhLdR/E3zZKSWi2QUaK/orxx9VOjjC0ODWxC5NLpfb0B14lLE28qeZa\nwfT3pnFAKCTH2HS6Mwvc8pcLlXpb7bDj8Y88mZCXh+zynccaYxjsyUQgTYiu4cWa\n1BzbQWLHmb5Mr0C/c7CzAt7i7myo10PmIjICqoBTmQQ1D7FnLpXodcQt4t+hNJ1e\n9ywldCVYqIwAAys33sSYecYDsMm6EjcFiEA+1LaB6OHorxUp+XSMZiTeg0U6XrPc\nl72M0FUTuoTChhLxOt0K7wcg4wIDAQABozAwLjAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIF4DAUBgNVHREEDTALgglocHZzLXRlc3QwDQYJKoZIhvcNAQELBQADggEBAF1o\nQWIilTIuruTXI28wfBXRx3d82+BqC9/C0gPi8VA0bs76w87gphMOM9ftFhLhH5C0\nMhgH8bYQXAXqoAbIUX7itoxa1OwHCRUGo0VuBn532/+GdiySF/FrRfVl1WelCuAN\nH21+OaJuhcEPgbJNJmvZQOy2o1lVmFhR12pz5HypgWsa0F0rLlR8ahE7qRd4lFt3\nUWRGAiKVm9DIV1lDJEYALyxbww3fapdoWRzbjerUaCK+s+PaZY0ZwZN45pwM5AN9\nCCuEYZBtxqDJbB8J7dQBxp6MAPvRoGz7csd3IHgq0pP3HCI05y5oGQRPgREJ0R+Z\nDTYg8gPiyrNsO5qb92k=\n-----END CERTIFICATE-----",
      "not-after": 1710322811,
      "names": [
        "hpvs-test"
      ],
      "state": "active",
      "hostname": "hpvs-test",
      "ca": true,
      "id": "rootCA_startup",
      "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICwjCCAaoCAQAwPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UE\nCwwEekFDSTESMBAGA1UEAwwJaHB2cy10ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAyu8kIMVd5gy0qb05DwGBcIiDF7iyViku29curLBNtEnQtxRk\nNwOrkQL8YeQ6p3CbvYWEBkhLdR/E3zZKSWi2QUaK/orxx9VOjjC0ODWxC5NLpfb0\nB14lLE28qeZawfT3pnFAKCTH2HS6Mwvc8pcLlXpb7bDj8Y88mZCXh+zynccaYxjs\nyUQgTYiu4cWa1BzbQWLHmb5Mr0C/c7CzAt7i7myo10PmIjICqoBTmQQ1D7FnLpXo\ndcQt4t+hNJ1e9ywldCVYqIwAAys33sSYecYDsMm6EjcFiEA+1LaB6OHorxUp+XSM\nZiTeg0U6XrPcl72M0FUTuoTChhLxOt0K7wcg4wIDAQABoD8wPQYJKoZIhvcNAQkO\nMTAwLjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALgglocHZzLXRl\nc3QwDQYJKoZIhvcNAQELBQADggEBADSVg0vcaT+bSGkNiVN1IK43CY+anOmOpDXq\n8dbzcJH7b2RRHOPL2sMWPWfp8AqOHNATrI8GoRuKxhzvTk5S9hywaQm5lL2sd1Zq\ngb1voLv0/B43ygMHeMDGvFaQ5LbfsdDwrJT87YEa1N+OcuAFnWteM4xms+C+FsWc\nVzhNthSZqjnuBbxKkCt5G2Dlv7vrsF+WDzWgNlRcRI68QskHg8YvGraeip1/znef\nFdV4KFFF4fJtKI4S3nQT+f5SzxnV8e/l5h365pU6gtkl+J7XKl13hAWIFDdw84Us\n9SETEnFqNPF3LdVzLSqoCYmo1cB/7jb7It+EJN1h0SoCgbwOyVY=\n-----END CERTIFICATE REQUEST-----",
      "self": "/api/com.ibm.zaci.system/certificates/v1/rootCA_startup"
    },
    {
      "serial": "42152C56BCF9BC32B5CB0771ABA601D597D82CE9",
      "fingerprint": "71:5A:CD:53:3F:35:93:6B:8E:6C:F4:8B:F9:54:6F:B3:93:B1:FB:80",
      "issued-to": "C = US, O = IBM, OU = zACI, CN = hpvs-test",
      "issued-by": "C = US, O = IBM, OU = zACI, CN = hpvs-test",
      "not-before": 1678786812,
      "crt": "-----BEGIN CERTIFICATE-----\nMIIDQDCCAiigAwIBAgIUQhUsVrz5vDK1ywdxq6YB1ZfYLOkwDQYJKoZIhvcNAQEL\nBQAwPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UECwwEekFDSTES\nMBAGA1UEAwwJaHB2cy10ZXN0MB4XDTIzMDMxNDA5NDAxMloXDTI0MDMxMzA5NDAx\nMlowPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UECwwEekFDSTES\nMBAGA1UEAwwJaHB2cy10ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAmPH2ybhXDS/u1l6MRXVtngwzutaLAOD370v4+i9diPulA0T23AxZmnEj/4Tb\nqszKmCVpMDS1dWQfn/lZcjqo33Gm2BksS6QUZC0Q1/NfdyAz7kEyDdeFR3MbGp2U\nNfsjFOs/ynboOw6bygqEO3fh1a+SE3o/WoGD67YFhR1epVAuuKBKfwGX64a1mOXm\n2uy8ybsyXXGRK/jFgxjPm2Ko7hfrqA+PxC5T4+HCTcsr7bQrkPoEbLoQygr+GYGc\nbpB/MZWIslwLWyjtRUlz6+AUETJgw/4C2/hX9phZ57k5yfZ5Og5RpPzoaeOQjNLx\nOriQDMdeXThIpqGE83GDpGFiqwIDAQABozYwNDAJBgNVHRMEAjAAMAsGA1UdDwQE\nAwIF4DAaBgNVHREEEzARgglocHZzLXRlc3SHBAkvmLEwDQYJKoZIhvcNAQELBQAD\nggEBAEOgRTN5bPoZWOPfoMir37MKjTGxT0OmFxLwfPqO97tiIgPNmXWSZsYNuHko\n/6ipdbqCDktcyWFJAbdJEDmRPK/k+miYvcq0n9g2ghd/hiGx4aIVQhQQeUMGJl2B\ncBcAvOdGosXb8M4zNCaK8je1ilMLAfl+4acJXoJP1tbhsyoMj91pYu1uhdb6OFwX\neE8an1myGWkT9AwM2Uau+glv3VnKgl8yxnbp72E6/uCf/kmQfOW5gZLFE48FNW08\nNXvT4yi48gyYPpnWVLk4FguC9OmIDaoCmLLmy9qTKllYi6qkuR6u04LOlnRitLLw\nu6y7smrt2G94KrQvDhuEGRAL63c=\n-----END CERTIFICATE-----",
      "not-after": 1710322812,
      "names": [
        "hpvs-test",
        "*.*.152.177"
      ],
      "state": "crt",
      "hostname": "hpvs-test",
      "ca": false,
      "id": "startup_*.*.152.177",
      "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyDCCAbACAQAwPjELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA0lCTTENMAsGA1UE\nCwwEekFDSTESMBAGA1UEAwwJaHB2cy10ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAmPH2ybhXDS/u1l6MRXVtngwzutaLAOD370v4+i9diPulA0T2\n3AxZmnEj/4TbqszKmCVpMDS1dWQfn/lZcjqo33Gm2BksS6QUZC0Q1/NfdyAz7kEy\nDdeFR3MbGp2UNfsjFOs/ynboOw6bygqEO3fh1a+SE3o/WoGD67YFhR1epVAuuKBK\nfwGX64a1mOXm2uy8ybsyXXGRK/jFgxjPm2Ko7hfrqA+PxC5T4+HCTcsr7bQrkPoE\nbLoQygr+GYGcbpB/MZWIslwLWyjtRUlz6+AUETJgw/4C2/hX9phZ57k5yfZ5Og5R\npPzoaeOQjNLxOriQDMdeXThIpqGE83GDpGFiqwIDAQABoEUwQwYJKoZIhvcNAQkO\nMTYwNDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAaBgNVHREEEzARgglocHZzLXRl\nc3SHBAkvmLEwDQYJKoZIhvcNAQELBQADggEBAAQSSUrqgqubuYu5+MK0sAuDcEcr\n6whPeA0sJIBe+MKh3gzNnhLGiVTD440e/PNrc/nKUwmJGI1AHt7AmveUvdV1wcJ9\nwfRHnC8M0qdQpATaLIU6gIgpl1DXRo2cmdtjTSnyg2TJ4/ojcqdWYdk2cEzHYjB5\n1+ZcOfHahCb/eEC8GevruyqMUjKPj+5gxHrengMstHBPFPyR4vl+rofOfY0/s8pu\nFxPy/n1+hBlbbhp5WQym1saVbLW55xxkvRk4DTXtNO787GLBQPMaTkhOBrJDzIUe\nxMTBR4PfzqtRvlZ1qrviYf6Ako2rQwt/86wxDSVZsR0KeuxoDaGVlnc296M=\n-----END CERTIFICATE REQUEST-----",
      "self": "/api/com.ibm.zaci.system/certificates/v1/startup_*.*.152.177"
    },
    {
      "serial": "1F96",
      "fingerprint": "AE:75:1B:A8:FD:AC:EA:19:F4:D8:E6:BC:91:93:1A:04:11:5A:5A:5A",
      "issued-to": "C = US, ST = California, O = IBM, OU = CSL, CN = hpvs-test530066",
      "issued-by": "C = US, ST = California, L = Los Angeles, O = IBM, CN = *.*.152.177",
      "not-before": 1678875059,
      "crt": "-----BEGIN CERTIFICATE-----\nMIIDwzCCAqugAwIBAgICH5YwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCVVMx\nEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQwwCgYD\nVQQKDANJQk0xFTATBgNVBAMMDDkuNDcuMTUyLjE3NzAeFw0yMzAzMTUxMDEwNTla\nFw0yNTAzMTQxMDEwNTlaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y\nbmlhMQwwCgYDVQQKDANJQk0xDDAKBgNVBAsMA0NTTDEYMBYGA1UEAwwPaHB2cy10\nZXN0NTMwMDY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArTfkMNpx\ngRuED5U9Irl/TnkZ77FB1EGEyWBp49db8MlK0/+9US6z2AuePpIc3Ip9XheTNqs6\nWa8vGd/jiUzdHT8zKFa412EP867RazCMyvwa5pMB+keedCvxjmASp3L7O8oqND6w\nGeJ7L0mr7GU0O3BSF0MucI5/Z9nw3tddOb7LQNEkrMW3uud8ctOANOPbdwZPdFly\na9QXnLYh9zBZII+9ajkbAx5LzZdMoP27MLbkxbf3NlXnQwA5/KdBxIA3PIcnzDdL\nbPwA85UtWF1iBp5PT7+BoUwlecJ3BMnCc0hcuDew36V+U6ikme20ER1rgPOIlGOx\n2LZNvKrGMuUf+QIDAQABo4GRMIGOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMBMG\nA1UdJQQMMAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAoBgNVHR8EITAf\nMB2gG6AZhhdodHRwOi8vbG9jYWxob3N0L2NhLmNybDAiBgNVHREEGzAZghE5LjQ3\nLjE1Mi4xNzc6OTAwMYcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAjMHfZgMKuHQP\nkL4Y1lN0QBNx+bmMxmtMK3GouU/F+z1R4F6sEJZWbE7QTIucnjKjf1o8CUhe/3fM\nm+TY4GyimA5drv9xqYpTE7S2mKSLTnvBc5Fot9p/FnkTfbmABUTB4Axq68pcBtBH\nF5Cpft97BpW9enCioD9jboRBE5LKo6SZpPLYvNEQzpP4r7SDVFEtT5kItvpTrB+T\nGzwTJg1dV3rfeB3V54+6VoP88v+4i4Poj3W1LbtgeVgLuV60L8O2INJ8H2pmuNv3\nDMvoNXQfn/9pKmKWnprMeDDfg4RmInR9Kxs11mwCiR9nBaM8nvS7PmUCHFYc+Jif\n2+sY3U2BrQ==\n-----END CERTIFICATE-----",
      "not-after": 1741947059,
      "names": [
        "hpvs-test530066",
        "*.*.152.177:9001",
        "*.*.152.177"
      ],
      "state": "active",
      "hostname": "hpvs-test530066",
      "ca": false,
      "id": "525091f9-18c9-4238-a4ba-3bac7d0d3d61",
      "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyjCCAbICAQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx\nDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwDQ1NMMRgwFgYDVQQDDA9ocHZzLXRlc3Q1\nMzAwNjYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtN+Qw2nGBG4QP\nlT0iuX9OeRnvsUHUQYTJYGnj11vwyUrT/71RLrPYC54+khzcin1eF5M2qzpZry8Z\n3+OJTN0dPzMoVrjXYQ/zrtFrMIzK/BrmkwH6R550K/GOYBKncvs7yio0PrAZ4nsv\nSavsZTQ7cFIXQy5wjn9n2fDe1105vstA0SSsxbe653xy04A049t3Bk90WXJr1Bec\ntiH3MFkgj71qORsDHkvNl0yg/bswtuTFt/c2VedDADn8p0HEgDc8hyfMN0ts/ADz\nlS1YXWIGnk9Pv4GhTCV5wncEycJzSFy4N7DfpX5TqKSZ7bQRHWuA84iUY7HYtk28\nqsYy5R/5AgMBAAGgLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGCCWhwdnMt\ndGVzdIcECS+YsTANBgkqhkiG9w0BAQsFAAOCAQEAAHL3jNfNdiW85hLFDexWvsRS\n73HSBgYPCN6f0BSIKxDBbNg9D+7CRjefzmdT6g3nncNS5ak7+RDXDjbIYced+bX2\nmQKmpappGMSIiTc3rmpdgZ0unBoSZ/Q9MAQO934KHov9g6t71LPcD3ZuVscEiqRu\n5DMODZRCP22BIXIIFC5p2jYFRmapqdDnOjq6FnxDjPmjWf1K/BEKT4YM+VUAdtYq\n4mz7NXKhhEuex5OmyclgsAEDcB8vdnh240wlB6/C5JZ5KHyPI+DJ+TE/V6crqGyI\nCJxYECiEwY1h5h7oZGcx508RQYPFQmGJRPi55+N8zHW6WVg33+B2gxv2zdu5OA==\n-----END CERTIFICATE REQUEST-----",
      "self": "/api/com.ibm.zaci.system/certificates/v1/525091f9-18c9-4238-a4ba-3bac7d0d3d61"
    }
  ]
}

    Notes:

    • An HTTP status code of 200 indicates a successful operation.
    • Any other HTTP status code indicates a failed operation.

  5. You can also verify the uploaded external certificate on the web server.