chsystemcert

Use the chsystemcert command to manage the Secure Sockets Layer (SSL) certificate that is installed on a system.

Syntax

Read syntax diagramSkip visual syntax diagram chsystemcert -mkselfsigned-countrycountry-statestate-localitylocality-orgorganization-orgunitorganizationunit-emailemail-commonnamecommonname-keytypekeytype-validitydays
Read syntax diagramSkip visual syntax diagram chsystemcert -mkrequest -country country -state state -locality locality -org organization -orgunit organizationunit -email email -commonname commonname -keytypekeytype-force
Read syntax diagramSkip visual syntax diagram chsystemcert -install-fileinput_file_pathname
Read syntax diagramSkip visual syntax diagram chsystemcert -export

Parameters

-mkselfsigned
Generates a self-signed SSL certificate. If you do not specify -mkselfsigned, you must specify -mkrequest, -export, or -install.
-mkrequest
Generates a certificate request. If you do not specify -mkrequest, you must specify -mkselfsigned, -export, or -install.
-country country
For -mkselfsigned, this parameter specifies the 2-digit country code for the self-signed certificate.
For -mkrequest, this parameter specifies the 2-digit country code for the certificate request.
-state state
For -mkselfsigned, this parameter specifies the state information for the self-signed certificate. The value can be an ASCII string from 0 - 128 characters.
For -mkrequest, this parameter specifies the state information for the certificate request. The value can be an ASCII string from 0 - 128 characters.
-locality locality
For -mkselfsigned, this parameter specifies the locality information for the self-signed certificate. The value can be an ASCII string in the range 0 - 128 characters.
For -mkrequest, this parameter specifies the locality information for the certificate request. The value can be an ASCII string in the range 0 - 128 characters.
-org organization
For -mkselfsigned, this parameter specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
For -mkrequest, this parameter specifies the organization information for the SSL certificate. The value can be an ASCII string in the range 0 - 128 characters.
-orgunit organizationunit
For -mkselfsigned, this parameter specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
For -mkrequest, this parameter specifies the organization unit information for the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-email email
For -mkselfsigned, this parameter specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
For -mkrequest, this parameter specifies the email address that is used in the SSL certificate. The value can be an ASCII string in the range 0 - 64 characters.
-commonname commonname
For -mkselfsigned, this parameter specifies the common name for the SSL certificate. The value can be an ASCII string of 0 - 64 characters.
For -mkrequest, this parameter specifies the common name for the SSL certificate. The value can be an ASCII string of 0 - 64 characters.
-validity days
Specifies the number of days (1-9000) that the self-signed certificate is valid.
-keytype keytpye
Specifies the SSL certificate key type.
  • rsa2048
  • ecdsa384
  • ecdsa521
-install
Install a certificate. If you do not specify -install, you must specify -mkselfsigned, -mkrequest, or -export.
-file
Specifies the absolute path name of the certificate to install.
-export
Exports the current SSL certificate. The certificate is exported to the /dumps/certificate.pem directory on the configuration node. If you do not specify -export, you must specify -mkselfsigned, -mkrequest, or -install.
-force
Specifies that the certificate request can be deleted.

Description

Use this command to manage the SSL certificate that is installed on a system. You can also do the following items.
  • Generate a new self-signed SSL certificate.
  • Create a certificate request to be copied from the system and signed by a certificate authority (CA).
    Note: The signed certificate that is returned by the CA can be installed.
  • Export the current SSL certificate (for example to allow the certificate to be imported into a key server).
Important: You must specify one of the following parameters:
  • -mkselfsigned
  • -mkrequest
  • -install
  • -export

An invocation example to create a self-signed certificate

chsystemcert -mkselfsigned

The detailed resulting output

No feedback

An invocation example to create a self-signed certificate with a common name

chsystemcert -mkselfsigned -commonname weiland.snpp.com

The detailed resulting output

No feedback

An invocation example to create a self-signed certificate with a key type and a 1-year validity period

chsystemcert -mkselfsigned -keytype ecdsa521 -validity 365

The detailed resulting output

No feedback