Create self-signed certificate

tcmgr cert create – create new self-signed S3 certificate

`SYNOPSIS`

tcmgr cert create -–alg KEY-TYPE --pkeyopt EC-CURVE –-validity DAYS [--country COUNTRY] [--state STATE] [--locality LOCALITY] [--org ORGANIZATION] [--orgunit ORGANIZATION-UNIT] [--email EMAIL] [--common-name COMMON-NAME] [--san SUBJECT-ALTERNATIVE-NAME]

`DESCRIPTION`

Creates a new self-signed certificate for the system. This certificate is used to protect requests over the S3 interface.

Although --alg, --pkeyopt, and either --san or the --common-name options are mandatory, be sure to provide correct information for all needed fields. The specification of the options is equivalent to the openssl-genkey command options. Refer to the openssl-genkey documentation to choose a suitable setting for the system.

After the self-signed certificate is created, it can be found on the system in the /opt/ibm/tapecloud/certificates/tls.pem directory. The tcmgr cert install command should be run after the certificate is created to activate its use for this system.

`OPTIONS`

--alg

The public key algorithm to use. Valid algorithm names for private key generation are RSA, RSA-PSS, EC, X25519, X448, ED25519 and ED448. This field is required.

--pkeyopt

Set the public key algorithm option to specified value. For example, if the –alg was set to EC, this filed can be set to ec_paramgen_curve:P-256. This field is required.

-v, --validity

Specifies the number of days (1-9000) that the self-signed certificate is valid. This field is required.

--country

The 2-digit country code for the self-signed certificate.

--state

The state information for the self-signed certificate. The value can be an ASCII string from 0 – 128 characters.

--locality

The locality information for the self-signed certificate. The value can be an ASCII string in the range 0 – 128 characters.

--org

The organization information for the self-signed certificate. The value can be an ASCII string in the range 0 – 64 characters.

--org-unit

The organization unit information for the self-signed certificate. The value can be an ASCII string in the range 0 – 64 characters.

--email

The email address that is used in the self-signed certificate. The value can be an ASCII string in the range 0 – 64 characters.

--common-name

The common name for the self-signed certificate. The value can be an ASCII string of 0 – 64 characters. Either --common-name or --san is required.

--san

The Subject Alternative Name that indicates all of the domain names and IP addresses that are secured by the certificate.

The Chrome browser, and other browsers, require a Subject Alternative Name, which is an extension to the Internet standard for public key certificates. The Subject Alternative Name extension is used to match the domain name and site certificate and can be an email address, an IP address, a URI, or a DNS name.

A certificate can contain a collection of these values so that the certificate can be used on multiple sites separated by a comma (,) delimeter. For example, to add a DNS name and a URI to the Subject Alternative Name extension, include the following parameter (e.g., -san DNS:dns.mysystem.com,URI:http://www.myco.com email:support@myco.com). Either --common-name or --san is required.

-h, --help

Display this help and exit.

`PARAMETERS`

-

`EXAMPLES`

This example shows the creation of a self-signed certificate with:

256-bit Elliptic Curve Digital Signature Algorithm (ECDSA) key
S3 end-point FQDN of s3glacier.example.com
validity of the certificate of 3650 days (ten years).

$ tcmgr cert create --san DNS:s3glacier.example.com --alg EC --pkeyopt ec_paramgen_curve:P-256 -v 3650
Date/Time: May 10, 2024, 04:10:52 PM +09:00; IBM TapeCloud Version: 1.0.0.0-00001
> System creating private key                                  [ OK ]
> System creating self-signed certificate                      [ OK ]
Self-signed certificate created at /opt/ibm/tapecloud/certificates/tls.pem