IBM Support

HMC Certificate Signing in the New Carbon GUI

Troubleshooting


Problem

All remote browser access to the HMC must use Secure Sockets Layer (SSL) encryption. With SSL encryption that is required for all remote access to the HMC, a certificate is required to provide the keys for this encryption. The HMC provides a self-signed certificate that allows this encryption to occur. Additionally, it allows the creation of a certificate signing request (CSR) where the certificate is signed by a trusted Certificate Authority (CA). Once signed, that CA certificate can be imported and installed on the HMC.

Symptom

This document outlines the procedure for creating and importing a signed certificate in the HMC New Carbon GUI

Environment

 7063-CR1, 7063-CR2 or ppc641e vHMC on PowerVM
x86 vHMC

Resolving The Problem

 

Accessing the Certificate Creation Wizard

To open the certificate creation wizard, follow these steps:

From the main left-hand hamburger menu, navigate to:
HMC ManagementHMC CertificateActionsCreate

This will launch the certificate creation wizard.

Note: The HMC also supports the creation of self-signed certificates, where the certificate is signed by the HMC itself rather than by a trusted Certificate Authority (CA).

image-20251021140859-1

The self-signed certificate is selected by default, Select "Signed by CA"

image-20251021141529-4

Note: When the "Temporary Certificate" toggle is enabled and the "Create and restart" button is clicked, a Certificate Signing Request (CSR) is generated and downloaded to your browser's local HMC. A temporary self-signed certificate is also created, and the HMC will reboot for the new temporary self-signed certificate to take effect.

Importing a Signed Certificate

Use the "Import Certificate" task to import a signed certificate into the HMC. Once the certificate has been downloaded and signed by a Certificate Authority (CA), you can import it into the HMC using one of the following methods:

image-20251021141737-5

  • Local filesystem: You must upload the HMC certificate file. Optionally, you can also upload the signing certificate files in the order of intermediate certificate first, followed by the root certificate.
  • HMC: You must specify the CA-signed certificate name. Optionally, you can also specify the signing certificate names in the order of intermediate certificate first, followed by the root certificate.
  • SFTP server: You must specify the CA-signed certificate name. Optionally, you can also specify the signing certificate names in the order of intermediate certificate first, followed by the root certificate.

Click Import to complete the operation.

Note: Beginning in V9 R1.930.0, the mkhmccert, chhmccert, and lshmccert commands were introduced to support HMC certificate management via the command line. In HMC V10 R3 M1062.0, the chhmccert command was enhanced by adding the ‑l disk option to import a CA signed certificate, certificate repository, certificate to be added as trusted, or certificate revocation list from the HMC hard disk. Prior to this change, the -l option had to be omitted to import from the HMC hard disk.

[{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"HMC","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
04 May 2026

UID

ibm17248598

Page Feedback