HMC Manual Reference Pages - MKHMCCERT (1)

NAME

mkhmccert - create a Hardware Management Console certificate

CONTENTS

Synopsis
Description
Options
Examples
Environment
Bugs
Author
See Also

SYNOPSIS

To create and apply a self-signed certificate:
mkhmccert -t self [-i "configuration-data"] [--force] [-r]
[--help]

To create a certificate signing request (CSR):
mkhmccert -t ca -f file-name [-l {usb | sftp}]
[-h host-name] [-u user-ID] [--passwd password]
[-k SSH-private-key] [-d directory]
[-i "configuration-data"] [--temp [-r]] [--help]

DESCRIPTION

mkhmccert creates a Hardware Management Console (HMC) certificate.

After a self-signed certificate is created, the HMC will automatically be restarted to apply the certificate.

OPTIONS

-t	The type of certificate to create. Valid values are self to create a self-signed certificate, and ca to create a certificate signing request (CSR) for the server where the Certificate Authority (CA) signed certificate will be issued.
-f	The name of the file where the CSR is to be saved.
-l	The location where the CSR is to be saved. Valid values are usb for a USB data storage device, and sftp for a secure FTP (SFTP) server. If this option is not specified, the CSR will be saved to the HMC hard disk.
-h	The host name or IP address of the SFTP server where the CSR is to be saved. This option is required when the CSR is to be saved on an SFTP server. Otherwise, this option is not valid.
-u	The user ID to use to log in to the SFTP server. This option is required when the CSR is to be saved on an SFTP server. Otherwise, this option is not valid.
--passwd	The password to use to log in to the SFTP server. If both this option and the -k option are omitted, you will be prompted to enter the password. The --passwd and -k options are mutually exclusive. This option is only valid when the CSR is to be saved on an SFTP server.
-k	The name of the file that contains the SSH private key. If the file name is not fully qualified, the file must exist in the user’s home directory on the HMC. Use the ssh-keygen command to generate the public and private SSH key pair. The ssh-keygen command is not allowed to write to the .ssh directory in the user’s home directory on the HMC, so when you run the command on the HMC, you must specify both the directory and the file name for the private key. If you generate a key with a passphrase, you will be prompted to enter the passphrase when you run any HMC command that uses the key. If both this option and the --passwd option are omitted and the CSR is to be saved on an SFTP server, you will be prompted to enter the password. The -k and --passwd options are mutually exclusive. This option is only valid when the CSR is to be saved on an SFTP server.
-d	The directory where the CSR is to be saved.
-i	The input data for the command. The input data consists of attribute name/value pairs, which are in comma separated value (CSV) format. The format of the input data is as follows: attribute-name=value,attribute-name=value,... Note that certain attributes accept a comma separated list of values, as follows: attribute-name=value,value,... ,... When a list of values is specified, the attribute name/value pair must be enclosed in double quotes. Depending on the shell being used, nested double quote characters may need to be preceded by an escape character, which is usually a ’#146; character. Valid attribute names for this command: org org_unit country Two-character ISO country code state locality days_to_expire email ipaddrs Comma separated list dns Comma separated list common_name Only valid for a CSR key_size Only valid for a self-signed certificate Valid values are 2048 (default), 3072, and 4096
--temp	When creating a CSR, specify this option to create a temporary self-signed certificate to be used until the CA returns the signed certificate. The HMC will automatically be restarted to apply the temporary self-signed certificate.
-r	Specify this option to cause the HMC to automatically be restarted without asking for confirmation after applying a self-signed certificate.
--force	Specify this option to allow a self-signed certificate to be created without a domain name.
--help	Display the help text for this command and exit.

EXAMPLES

Create a self-signed certificate (the HMC will automatically be restarted to apply the certificate):

mkhmccert -t self -i "org=TEST,org_unit=HMC,country=US,state=Texas,
locality=Austin,email=support@company.com,days_to_expire=365,
ipaddrs=9.2.155.119,dns=dns1@company.com"

Create a CSR and save it to a SFTP server and use SSH keys for authentication:

mkhmccert -t ca -f csrfile -l sftp -h server.company.com -u sftpuser
-k /home/hmcuser/keys/id_rsa -d /home/sftpuser/certs -i "org=TEST,
org_unit=HMC,country=US,common_name=hmc1@company.com,state=Texas,
locality=Austin,email=support@company.com,days_to_expire=365,
ipaddrs=9.5.17.129,dns=dns1@company.com"

ENVIRONMENT

None

BUGS

None

AUTHOR

IBM Austin

SEE ALSO

chhmccert, lshmccert

Linux

MKHMCCERT (1)

May 2023

Generated by manServer 1.07 from mkhmccert.1 using man macros.