Replacing the certificate for PowerVC access

By default, PowerVC uses a self-signed X.509 certificate to secure its web interface and REST APIs. Self-signed certificates are not signed by an independent certificate authority (CA). Because anyone can create self-signed certificates, they cannot be trusted automatically by clients such as web browsers. For better security, an administrator should replace the default self-signed certificate with a new CA-signed certificate that clients will trust automatically. Certificates might also need to be replaced if they are expiring or have been revoked, if their private key has been compromised, and so on.

About this task

  • The list of Subject Alternative Names should include the IP address, virtual IP address, the local host name, and the fully qualified domain name.
  • When changing your certificate, you must replace certificate files and restart services on the management server and registered NovaLink hosts.
The web interface and REST APIs use the private key and certificate at the following locations:
  • /etc/pki/tls/private/powervc.key
  • /etc/pki/tls/certs/powervc.crt

To replace the certificates, follow these steps. Perform all steps on the PowerVC management server, unless otherwise stated:


  1. Replace this file with a new private key file that has the same name: /etc/pki/tls/private/powervc.key.
  2. Replace this file with a new certificate file that has the same name: /etc/pki/tls/certs/powervc.crt. This certificate must correspond to the private key file. In cases where the new certificate is a CA-signed certificate, powervc.crt must consist of the entire certificate chain, even if the root CA and intermediate certificates are present in the system trust store. The leaf certificate must be at the top followed by the intermediate certificates in between and the root certificate at the bottom.
  3. Restart all PowerVC services by running powervc-services restart.
  4. On each registered NovaLink host or network node, replace the certificate at /etc/pki/tls/certs/powervc.crt with the new certificate generated in the previous steps.
  5. If you have any NovaLink hosts or network node, also restart PowerVC services on all of those hosts by running powervc-services remote restart --node all from the PowerVC management server.