Providing new certificates for PowerVC access

By default, PowerVC uses a self-signed X.509 certificate to secure its web interface and REST APIs. Self-signed certificates are not signed by an independent certificate authority (CA). Because anyone can create self-signed certificates, they cannot be trusted automatically by clients such as web browsers. For better security, an administrator should replace the default self-signed certificate with a new CA-signed certificate that clients will trust automatically. Certificates might also need to be replaced if they are expiring or have been revoked, if their private key has been compromised, and so on.

1. Replace this file with a new private key file that has the same name: /etc/pki/tls/private/powervc.key.
2. Replace this file with a new certificate file that has the same name: /etc/pki/tls/certs/powervc.crt. This certificate must correspond to the private key file. In cases where the new certificate is a CA-signed certificate, powervc.crt must consist of the entire certificate chain, even if the root CA and intermediate certificates are present in the system trust store. The leaf certificate must be at the top followed by the intermediate certificates in between and the root certificate at the bottom.
3. Restart all PowerVC services by running powervc-services restart.
4. On each registered NovaLink host or network node, replace the certificate at /etc/pki/tls/certs/powervc.crt with the new certificate generated in the previous steps.
5. If you have any NovaLink hosts or network node, also restart PowerVC services on all of those hosts by running powervc-services remote restart --node all from the PowerVC management server.