chsystemcert

Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a clustered system (system).

Syntax

chsystemcert [ -mkselfsigned ] [ -countrycountry ] [ -statestate ] [ -localitylocality ] [ -orgorganization ] [ -orgunitorganizationunit ] [ -emailemail ] [ -commonnamecommonname ] [ -keytypekeytype ] [ -validitydays ]
chsystemcert [ -mkrequest ] -countrycountry -statestate -localitylocality -orgorganization -orgunitorganizationunit -emailemail -commonnamecommonname [ -keytypekeytype ] [ -force ]
chsystemcert [ -install ] [ -fileinput_file_pathname ]
chsystemcert [ -export ]

Parameters

-mkselfsigned
(Optional) Generates a self-signed SSL certificate. (If you do not specify -mkselfsigned you must specify -mkrequest, -export, or -install.)
-mkrequest
(Optional) Generates a certificate request. (If you do not specify -mkrequest you must specify -mkselfsigned, -export, or -install.)
-countrycountry
(Optional for -mkselfsigned and required for -mkrequest) Specifies the 2-digit country code for the self-signed certificate or certificate request.
-statestate
(Optional for -mkselfsigned and required for -mkrequest) Specifies the state information for the self-signed certificate or certificate request. The value can be an ASCII string from 0 - 128 characters.
-localitylocality
(Optional for -mkselfsigned and required for -mkrequest) Specifies the locality information for the self-signed certificate or certificate request. The value can be an ASCII string from 0 - 128 characters.
-orgorganization
(Optional for -mkselfsigned and required for -mkrequest) Specifies the organization information for the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-orgunitorganizationunit
(Optional for -mkselfsigned and required for -mkrequest) Specifies the organization unit information for the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-emailemail
(Optional for -mkselfsigned and required for -mkrequest) Specifies the email address that is used in the SSL certificate. The value can be an ASCII string from 0 - 64 characters.
-commonnamecommonname
(Optional for -mkselfsigned and required for -mkrequest) Specifies the common name for the SSL certificate. The value can be an ASCII string of 0 - 64 characters.
-validitydays
(Optional) Specifies the number of days (1-9000) that the self-signed certificate is valid.
-keytypekeytpye
(Optional) Specifies the SSL certificate key type. The supported key types are:
  • rsa2048
  • ecdsa384
  • ecdsa521
-install
(Optional) Installs a certificate. (If you do not specify -install you must specify -mkselfsigned, -mkrequest, or -export.)
-file
(Optional) Specifies the absolute path name of the certificate to install.
-export
(Optional) Exports the current SSL certificate. The certificate is exported to the /dumps/certificate.pem directory on the configuration node. (If you do not specify -export you must specify -mkselfsigned, -mkrequest, or -install.)
-force
(Optional) Specifies that the certificate request can be deleted.

Description

Use this command to manage the SSL certificate that is installed on a system. You can also
  • Generate a new self-signed SSL certificate
  • Create a certificate request to be copied from the system and signed by a certificate authority (CA)
    Note: The signed certificate that is returned by the CA can be installed.
  • Export the current SSL certificate (for example to allow the certificate to be imported into a key server)
Important: You must specify one of the following parameters:
  • -mkselfsigned
  • -mkrequest
  • -install
  • -export

An invocation example to create a self-signed certificate

chsystemcert -mkselfsigned

The detailed resulting output:

No feedback

An invocation example to create a self-signed certificate with a common name

chsystemcert -mkselfsigned -commonname weiland.snpp.com

The detailed resulting output:

No feedback

An invocation example to create a self-signed certificate with a key type and a 1-year validity period

chsystemcert -mkselfsigned -keytype ecdsa521 -validity 365

The detailed resulting output:

No feedback