chsystemcert

Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a clustered system (system).

Syntax

 chsystemcert    [  -mkselfsigned  ]   [  -country country ]   [  -state state ]   [  -locality locality ]   [  -org organization ]   [  -orgunit organizationunit ]   [  -email email ]   [  -commonname commonname ]   [  -keytype keytype ]   [  -validity days ]  
 chsystemcert    [  -mkrequest  ]    -country country    -state state    -locality locality    -org organization    -orgunit organizationunit    -email email    -commonname commonname   [  -keytype keytype ]   [  -force  ]  
 chsystemcert    [  -install  ]   [  -file input_file_pathname ]  
 chsystemcert    [  -export  ]  

Parameters

-mkselfsigned
(Optional) Generates a self-signed SSL certificate. (If you do not specify -mkselfsigned you must specify -mkrequest, -export, or -install.)
-mkrequest
(Optional) Generates a certificate request. (If you do not specify -mkrequest you must specify -mkselfsigned, -export, or -install.)
-countrycountry
(Optional for -mkselfsigned and required for -mkrequest) Specifies the 2-digit country code for the self-signed certificate or certificate request.
-statestate
(Optional for -mkselfsigned and required for -mkrequest) Specifies the state information for the self-signed certificate or certificate request. The value can be an ASCII string from 0 - 128 characters.
-localitylocality
(Optional for -mkselfsigned and required for -mkrequest) Specifies the locality information for the self-signed certificate or certificate request. The value can be an ASCII string from 0 - 128 characters.
-orgorganization
(Optional for -mkselfsigned and required for -mkrequest) Specifies the organization information for the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-orgunitorganizationunit
(Optional for -mkselfsigned and required for -mkrequest) Specifies the organization unit information for the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-emailemail
(Optional for -mkselfsigned and required for -mkrequest) Specifies the email address that is used in the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-commonnamecommonname
(Optional for -mkselfsigned and required for -mkrequest) Specifies the common name for the SSL certificate. The value can be an ASCII string of 0 - 64 characters.
-validitydays
(Optional) Specifies the number of days (1-9000) that the self-signed certificate is valid.
-keytypekeytpye
(Optional) Specifies the SSL certificate key type. The supported key types are:
  • rsa2048
  • ecdsa384
  • ecdsa521
-install
(Optional) Installs a certificate. (If you do not specify -install you must specify -mkselfsigned, -mkrequest, or -export.)
-file
(Optional) Specifies the absolute path name of the certificate to install.
-export
(Optional) Exports the current SSL certificate. The certificate is exported to the /dumps/certificate.pem directory on the configuration node. (If you do not specify -export you must specify -mkselfsigned, -mkrequest, or -install.)
-force
(Optional) Specifies that the certificate request can be deleted.

Description

Use this command to manage the SSL certificate that is installed on a system. You can also
  • Generate a new self-signed SSL certificate
  • Create a certificate request to be copied from the system and signed by a certificate authority (CA)
    Note: The signed certificate that is returned by the CA can be installed.
  • Export the current SSL certificate (for example to allow the certificate to be imported into a key server)
Important: You must specify one of the following parameters:
  • -mkselfsigned
  • -mkrequest
  • -install
  • -export

An invocation example to create a self-signed certificate

chsystemcert -mkselfsigned

The detailed resulting output:

No feedback

An invocation example to create a self-signed certificate with a common name

chsystemcert -mkselfsigned -commonname weiland.snpp.com

The detailed resulting output:

No feedback

An invocation example to create a self-signed certificate with a key type and a 1-year validity period

chsystemcert -mkselfsigned -keytype ecdsa521 -validity 365

The detailed resulting output:

No feedback
Parent topic: Clustered system commands
Related information
addiscsistorageport
cfgportip
chbanner
chcluster (Discontinued)
chiogrp
chnodecanister
chnodecanisterhw
chquorum
chsecurity
chsite
chsystem
chsystemip
chthrottle
cleardumps
cpdumps
detectiscsistorageportcandidate
help
lsclustercandidate (Discontinued)
lscluster (Discontinued)
lsclusterip (Discontinued)
lsclusterstats (Discontinued)
lsdiscoverystatus
lsfabric
lsfcportcandidate
lsiscsistorageport
lsiscsistorageportcandidate
lsiogrp
lshbaportcandidate (Deprecated)
lsiogrphost
lsiogrpcandidate
lsiostatsdumps (Deprecated)
lsiotracedumps (Deprecated)
lsnodecanister
lsnodecanisterhw
lsnodecanisterstats
lsnodedependentvdisks (Deprecated)
lsnodecanistervpd
lsportusb
lsportip
lsportfc
lsportsas
lsquorum
lsroute
lstimezones
lssasportcandidate
lssecurity
lssite
lsthrottle
lssystem
lssystemcert
lssystemip
lssystemstats
lstargetportfc
mkquorumapp
mkthrottle
ping
rmiscsistorageport
rmnodecanister
rmportip
rmthrottle
setclustertime (Discontinued)
setsystemtime
setpwdreset
settimezone
showtimezone
startstats
stopstats (Deprecated)
stopcluster (Discontinued)
stopsystem