Replacing the certificate for PowerVC access

Edit online

By default, PowerVC uses a self-signed X.509 certificate to secure its web interface and REST APIs. Independent certificate authority (CA) does not sign self-signed certificates. Since anyone can create self-signed certificates, the clients such as web browsers cannot trust the self-signed certificates automatically. For better security, an administrator must replace the default self-signed certificate with a new CA-signed certificate that clients trust automatically. Certificates might also need to be replaced if they are going to expire, are revoked, or if their private key is compromised.

Before you begin

Validate the following content in the CA-signed certificate before you replace the default self-signed certificate with a new CA-signed certificate:
  1. The common name (CN) field, which identifies the specific domain or entity the certificate is issued to, must not be the hostname. However, the virtual IP address must be used as the common name.
  2. The Subject Alternative Name (SAN) field must include the following values:
    • Short hostname for all three nodes
    • Long hostnames for all three nodes
    • Node IP address for all three nodes
    • Virtual IP address
  3. The CA flag field must be True.
  4. The certificate chain that is provided with the CA-signed certificate must include the server, intermediate, and the root certificate.
  5. The validity of the server, intermediate, and root certificates must be checked to help ensure that the validity is not expired.
  6. The CA certificate must be updated in the truststore to establish the trust.

About this task

Notes:
  • The list of Subject Alternative Names must include the IP address, virtual IP address, the local hostname, and the fully qualified domain name.
  • When you change your certificate, you must replace certificate files and restart services on the management server and registered NovaLink hosts.
The web interface and REST APIs use the private key and certificate at the following locations:
  • /etc/pki/tls/private/powervc.key
  • /etc/pki/tls/certs/powervc.crt

To replace the certificates, follow these steps. Perform all the steps on the PowerVC management server, unless otherwise stated:

Procedure

  1. Replace the /etc/pki/tls/private/powervc.key file with a new private key file that has the same name.
  2. Replace the /etc/pki/tls/certs/powervc.crt file with a new certificate file that has the same name. This certificate must correspond to the private key file. In cases where the new certificate is a CA-signed certificate, powervc.crt must consist of the entire certificate chain, even if the root CA and intermediate certificates are present in the system truststore. The leaf certificate must be at the first followed by the intermediate certificates in between and the root certificate at the end.
  3. Restart all PowerVC services by running powervc-services restart.
  4. On each registered NovaLink host or network node, replace the certificate at /etc/pki/tls/certs/powervc.crt with the new certificate that is generated in the previous steps.
  5. If you have any NovaLink hosts or network node, also restart PowerVC services on all of those hosts by running powervc-services remote restart --node all from the PowerVC management server.