If your current signed certificate expires or is about to expire, you can request a new
signed certificate from a certificate authority.
About this task
Note: Changing the system certificate changes the trust that any configured key servers have in the
cluster. Reestablish key server trust in the cluster by exporting the cluster certificate to the key
servers.
In the management GUI, select and select signed certificate and complete the form to create a request for a signed
certificate for your system. After you receive the certificate from the certificate authority, use
this panel to install the certificate on the system.
Procedure
-
In the command-line interface, enter the following command to create a new certificate request:
chsystemcert -mkrequest -keytype ecdsa521 -country GB -state Hampshire -locality Hursley -org MYCO -orgunit Storage -commonname svcsystem1.myco.com -email admin@myco.com
The
certificate request is automatically written to
/dumps/certificate.csr.
The Chrome browser, and other browsers, require a
Subject Alternative Name, which is an extension to the Internet standard for public key
certificates. The Subject Alternative Name extension is used to match the domain name and site
certificate and can be an email address, an IP address, a URI, or a DNS name. A certificate can
contain a collection of these values so that the certificate can be used on multiple sites.
For example, to add a DNS name to the Subject Alternative Name extension, include
the following parameter in the
chsystemcert CLI command:
-
subjectalternativename "DNS:dns.mysystem.com" For multiple values, use a
recommended delimiter to separate each entry for the
-subjectalternativename
parameter. Delimiters can be mixed:
Table 1. Recommended delimiters
| Delimiter Name |
Symbol |
Example |
| Space |
( space) |
-subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com
email:support@myco.com" |
| Comma |
(,) |
-subjectalternativename
"DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com" |
| Semi-colon |
(;) |
-subjectalternativename
"DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com" |
| Newline (for Linux® or UNIX operating systems) |
(\n) |
-subjectalternativename
"DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com" |
| Tab (for Linux or UNIX operating systems) |
(\t) |
-subjectalternativename
"DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com" |
| Carriage return (for Windows operating
systems) |
(\r) |
-subjectalternativename
"DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com" |
| Carriage return with newline (for Windows operating
systems) |
(\r\n) |
-subjectalternativename
"DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com" |
For more information about supported delimiters, see the
chsystemcert CLI command.
-
Use secure copy (scp) to copy the file /dumps/certificate.csr from the
system and send this file to a certificate authority (CA) to sign. The certificate authority returns
a signed certificate. After you receive the certificate, use scp to copy the certificate back onto
the system in the file /dumps/certificate.cer, where
certificate.cer is the name of the certificate.
-
After you copy the certificate to the system, enter the following command to install the
certificate on the system.
chsystemcert -install -file /dumps/certificate.cer