Providing new certificates for messaging

Edit online

Follow these steps to replace the certificates that are used to secure AMQP messaging. You should replace the certificates if you believe that a certificate was compromised or if you need to change a property, such as the expiration date.

Note: For details about the parameters to use when you generate these certificates, see /etc/pki/messages/ca/openssl.conf.
  1. If you are replacing any certificates on the management server, run powervc-services stop on the management server to stop all PowerVC services.
  2. Optionally replace the CA certificate:
    1. (Optional) Generate a new key file with this file name and location: /etc/pki/messages/ca/private/cakey.pem.
    2. Generate a new self-signed CA certificate for the service with this file name and location: /etc/pki/messages/ca/cacert.pem.
    3. If PowerVC is managing one or more NovaLink hosts, copy the new CA certificate onto each managed NovaLink host. Use this file location and name for the CA certificate: /etc/pki/messages/cacert.pem.
    4. Continue with all of the following steps. Because the CA certificate was replaced, all of the other certificates must be signed with the new certificate. Therefore, the remaining steps are mandatory.
  3. Optionally replace the server certificate for the PowerVC management server.
    1. Optionally generate a new key with this location and name: /etc/pki/messages/server/private/key.pem.
    2. Generate a new server certificate and use the CA certificate to sign it. Use this file location and name for the server certificate: /etc/pki/messages/server/cert.pem.
  4. Optionally replace the client certificate for the PowerVC management server.
    1. Optionally generate a new private key with this location and name: /etc/pki/messages/pvcservices/private/key.pem.
    2. Generate a new client certificate and use the CA certificate to sign it. Use this file location and name for the client certificate: /etc/pki/messages/pvcservices/cert.pem.
  5. Optionally replace the client certificate for a NovaLink host.
    1. If you are replacing any certificates on the hosts, run powervc-services stop on the hosts to stop all PowerVC services.
    2. Optionally generate a new private key with this location and name: /etc/pki/messages/private/clientkey.pem.
    3. Generate a new client certificate and use the CA certificate to sign it. Use this file location and name for the client certificate: /etc/pki/messages/clientcert.pem.
    4. Run powervc-services start on the hosts to restart all PowerVC services.
  6. If you replaced any certificates on the management server, run powervc-services start on the management server to restart all PowerVC services.