Generating a new self-signed certificate

If your current self-signed certificate expires or is about to expire, you can generate a new self-signed certificate for the system by using the management GUI or command-line interface (CLI).

About this task

Note: Changing the system certificate changes the trust that any configured key servers have in the cluster. Reestablish key server trust in the cluster by exporting the cluster certificate to the key servers.

In the management GUI, select Settings > Security > Secure communications and select self-signed certificate and complete the form.

Use the following steps to generate a self-signed certificate in the command-line interface:

Procedure

To create a self-signed certificate that uses RSA 2048 key type and expires in one year, enter the following command:

chsystemcert -mkselfsigned -keytype rsa2048 -validity 365

After the self-signed certificate is created, it is automatically installed on the system.

Other values can be specified such as country, organization, common name, or Subject Alternative Name.

The Chrome browser, and other browsers, require a Subject Alternative Name, which is an extension to the Internet standard for public key certificates. The Subject Alternative Name extension is used to match the domain name and site certificate and can be an email address, an IP address, a URI, or a DNS name. A certificate can contain a collection of these values so that the certificate can be used on multiple sites.

For example, to add a DNS name to the Subject Alternative Name extension, include the following parameter in the chsystemcert CLI command: -subjectalternativename "DNS:dns.mysystem.com" For multiple values, use a recommended delimiter to separate each entry for the -subjectalternativename parameter. Delimiters can be mixed:

Table 1. Recommended delimiters
Delimiter Name	Symbol	Example
Space	( space)	-subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com email:support@myco.com"
Comma	(,)	-subjectalternativename "DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com"
Semi-colon	(;)	-subjectalternativename "DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com"
Newline (for Linux® or UNIX operating systems)	(\n)	-subjectalternativename "DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com"
Tab (for Linux or UNIX operating systems)	(\t)	-subjectalternativename "DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com"
Carriage return (for Windows operating systems)	(\r)	-subjectalternativename "DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com"
Carriage return with newline (for Windows operating systems)	(\r\n)	-subjectalternativename "DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com"

For more information about supported delimiters, see the chsystemcert CLI command.