HMC Manual Reference Pages  - CHHMCCERT (1)

NAME
chhmccert - change the Hardware Management Console certificate

CONTENTS

Synopsis
Description
Options
Examples
Environment
Bugs
Author
See Also

SYNOPSIS
To change a self-signed certificate:
chhmccert -o apply -t self -i "configuration-data"
[--force] [-r] [--help]

To import and install a Certificate Authority (CA) signed certificate or a certificate repository:
chhmccert -o apply -t {cacert | repo} -f file-name
[-s signing-certificate-file-name]
[-l {usb | sftp}] [-h host-name] [-u user-ID]
[--passwd password] [-k SSH-private-key] -d directory
[--repopasswd repository-password] [-r] [--help]

To install the previously archived certificate:
chhmccert -o apply -t archivecert [-r] [--help]

To delete and archive the current certificate:
chhmccert -o archiverm [-r] [--help]

To add a certificate as trusted to the HMC’s truststore:
chhmccert -o add -t trustedcert -a alias
-l {usb | sftp | trustedsslserver}
[-h host-name] [-u user-ID]
[--passwd password] [-k SSH-private-key]
[-f file-name] [-d directory]
[--proxyserver host-name:port]
[--proxyuser user-ID] [--proxypasswd password]
[-r] [--help]

To remove a trusted certificate from the HMC’s truststore:
chhmccert -o remove -t trustedcert -a alias [-r] [--help]

To change the default setting for the number of days until certificate expiration:
chhmccert -o set -n number-of-days [--help]

DESCRIPTION
chhmccert changes the Hardware Management Console (HMC) certificate, or adds or removes a certificate to or from the HMC’s truststore. The HMC will automatically be restarted to apply the certificate changes.

chhmccert also changes the HMC default setting for the number of days until certificate expiration. The new default setting will be applied to newly created certificates or certificate signing requests only.

OPTIONS
-o The operation to perform. Valid values are apply to apply a certificate, archiverm to delete and archive the current certificate, add to add a certificate as trusted to the HMC’s truststore, remove to remove a trusted certificate from the HMC’s truststore, and set to change the HMC default setting for the number of days until certificate expiration.
-t The type of certificate to apply, add, or remove. Valid values are self to apply changes to a self-signed certificate, cacert to apply an imported CA signed certificate, repo to apply an imported certificate repository, archivecert to apply the previously archived certificate, and trustedcert to add or remove a trusted certificate.
-f The name of the file containing the CA signed certificate or certificate repository to import and apply, or the certificate to add as trusted to the HMC’s truststore.

When adding a certificate as trusted this option is required when the certificate is located on a USB data storage device, an SFTP server, or the HMC hard disk. Otherwise, this option is not valid.

-s The name of file containing the signing certificate to import. Multiple file names can be specified with this option. Multiple file names must be comma separated.

This option is only valid when importing and applying a CA signed certificate.

-l The location where the CA signed certificate, certificate repository, or certificate to be added as trusted is located. Valid values are usb for a USB data storage device, sftp for a secure FTP (SFTP) server, or trustedsslserver for a trusted server.

If this option is not specified, the CA signed certificate, certificate repository, or certificate to be added as trusted will be imported from the HMC hard disk.

-h The host name or IP address of the SFTP server where the CA signed certificate, certificate repository, or certificate to be added as trusted is located, or the host name or IP address of the trusted server where the certificate to be added as trusted is located.

This option is required when the CA signed certificate or certificate repository is located on an SFTP server, and when the certificate to be added as trusted is located on an SFTP server or a trusted server. Otherwise, this option is not valid.

-u The user ID to use to log in to the SFTP server.

This option is required when the CA signed certificate, certificate repository, or certificate to be added as trusted is located on an SFTP server. Otherwise, this option is not valid.

--passwd The password to use to log in to the SFTP server.

If both this option and the -k option are omitted, you will be prompted to enter the password. The --passwd and -k options are mutually exclusive.

This option is only valid when the CA signed certificate, certificate repository, or certificate to be added as trusted is located on an SFTP server.

-k The name of the file that contains the SSH private key. If the file name is not fully qualified, the file must exist in the user’s home directory on the HMC.

Use the ssh-keygen command to generate the public and private SSH key pair. The ssh-keygen command is not allowed to write to the .ssh directory in the user’s home directory on the HMC, so when you run the command on the HMC, you must specify both the directory and the file name for the private key. If you generate a key with a passphrase, you will be prompted to enter the passphrase when you run any HMC command that uses the key.

If both this option and the --passwd option are omitted and the CA signed certificate or certificate repository is located on an SFTP server, you will be prompted to enter the password. The -k and --passwd options are mutually exclusive.

This option is only valid when the CA signed certificate, certificate repository, or certificate to be added as trusted is located an SFTP server.

-d The directory where the CA signed certificate, certificate repository, or certificate to be added as trusted is located.

When adding a certificate as trusted this option is required when the certificate is located on a USB data storage device, an SFTP server, or the HMC hard disk. Otherwise, this option is not valid.

--repopasswd The password for the certificate repository. If this option is omitted you will be prompted to enter the password.

This option is only valid when importing and applying a certificate repository.

-a The alias for the trusted certificate to add or remove.
--proxyserver The host name or IP address of the HTTP or HTTPS proxy server. The port can be specified following the host name or IP address with :port. If port is omitted, it will default to 3128.

This option is only valid when the certificate to be added as trusted is located on a trusted server.

--proxyuser The user ID to use to log in to the proxy server when user authentication is required for the proxy connection.
--proxypasswd The password to use to log in to the proxy server when user authentication is required for the proxy connection.

If this option is omitted when the --proxyuser option is specified, you will be prompted to enter the password.

-n Specify the new HMC default setting for the number of days until certificate expiration.
-i The input data for the command. The input data consists of attribute name/value pairs, which are in comma separated value (CSV) format.

The format of the input data is as follows:

attribute-name=value,attribute-name=value,...

Note that certain attributes accept a comma separated list of values, as follows:

attribute-name=value,value,... ,...

When a list of values is specified, the attribute name/value pair must be enclosed in double quotes. Depending on the shell being used, nested double quote characters may need to be preceded by an escape character, which is usually a ’#146; character.

If ’+=’ is used in the attribute name/value pair instead of ’=’, the specified value is added to the existing list.

If ’-=’ is used in the attribute name/value pair instead of ’=’, the specified value is deleted from the existing list.

Valid attribute names for this command:
org
org_unit
country
Two-character ISO country code
state
locality
days_to_expire
email
ipaddrs
Comma separated list
dns
Comma separated list

-r Specify this option to cause the HMC to automatically be restarted without asking for confirmation after applying a certificate or adding or removing a trusted certificate.
--force Specify this option to allow a self-signed certificate to be applied without a domain name.
--help Display the help text for this command and exit.

EXAMPLES
Change a self-signed certificate (the HMC will automatically be restarted to install the certificate):

chhmccert -o apply -t self -i "days_to_expire=730,ipaddrs+=9.2.155.120"

Import and install a CA signed certificate from an SFTP server using SSH keys for authentication, and restart the HMC without asking for confirmation:

chhmccert -t cacert -f certfile -s signingfile1,signingfile2 -l sftp
-h server.company.com -u sftpuser -k /home/hmcuser/keys/id_rsa
-d /home/sftpuser/certs -r

To install the previously archived certificate (the HMC will automatically be restarted to install the certificate):

chhmccert -o apply -t archivecert

Delete and archive the current certificate and restart the HMC without asking for confirmation:

chhmccert -o archiverm -r

Add a certificate located on a trusted server to the HMC’s truststore:

chhmccert -o add -t trustedcert -l trustedsslserver -a cmccert
-h cmcportal-powercloud.mybluemix.net

Add a certificate located on a trusted server and use a proxy connection with authentication:

chhmccert -o add -t trustedcert -l trustedsslserver -a cmccert
-h cmcportal-powercloud.mybluemix.net --proxyserver 9.124.125.229:8080
--proxyuser userID --proxypasswd password

Remove a trusted certificate:

chhmccert -o remove -t trustedcert -a cmccert

Change the HMC default setting for the number of days until certificate expiration:

chhmccert -o set -n 365

ENVIRONMENT
None

BUGS
None

AUTHOR
IBM Austin

SEE ALSO
chhmccert, lshmccert

Linux CHHMCCERT (1) November 2020
Generated by manServer 1.07 from chhmccert.1 using man macros.