If your current signed certificate expires or is about to expire, you can request a new
signed certificate from a certificate authority.
About this task
Note: Changing the system certificate changes the trust that any configured key servers have in the
system. Reestablish key server trust in the system by exporting the system certificate to the key
servers.
In the management GUI, select and select signed certificate and complete the form to create a request for a signed
certificate for your system. After you receive the certificate from the certificate authority, use
this panel to install the certificate on the system.
Procedure
-
In the command-line interface, enter the following command to create a new certificate request:
chsystemcert -mkrequest -keytype ecdsa521 -country GB -state Hampshire -locality Hursley -org MYCO -orgunit Storage -commonname svcsystem1.myco.com -email admin@myco.com
The
certificate request is automatically written to
/dumps/certificate.csr.
The Chrome browser, and other browsers, require a Subject Alternative
Name, which is an extension to the Internet standard for public key certificates. The Subject
Alternative Name extension is used to match the domain name and site certificate and can be an email
address, an IP address, a URI, or a DNS name. A certificate can contain a collection of these values
so that the certificate can be used on multiple sites.
For example, to add a DNS name to the
Subject Alternative Name extension, include the following parameter in the
chsystemcert CLI command: -
subjectalternativename
"DNS:dns.mysystem.com" For multiple values, use a recommended delimiter to separate each
entry for the
-subjectalternativename parameter. Delimiters can be mixed:
Table 1. Recommended
delimiters
| Delimiter Name |
Symbol |
Example |
| Space |
( space) |
-subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com
email:support@myco.com" |
| Comma |
(,) |
-subjectalternativename
"DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com" |
| Semi-colon |
(;) |
-subjectalternativename
"DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com" |
| Newline (for Linux® or UNIX operating systems) |
(\n) |
-subjectalternativename
"DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com" |
| Tab (for Linux or UNIX operating systems) |
(\t) |
-subjectalternativename
"DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com" |
| Carriage return (for Windows operating
systems) |
(\r) |
-subjectalternativename
"DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com" |
| Carriage return with newline (for Windows operating
systems) |
(\r\n) |
-subjectalternativename
"DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com" |
For more information about supported delimiters, see the
chsystemcert CLI command.
-
Use secure copy (scp) to copy the file /dumps/certificate.csr from the
system and send this file to a certificate authority (CA) to sign. The certificate authority returns
a signed certificate. After you receive the certificate, use scp to copy the certificate back onto
the system in the file /dumps/certificate.cer, where
certificate.cer is the name of the certificate.
-
After you copy the certificate to the system, enter the following command to install the
certificate on the system.
chsystemcert -install -file /dumps/certificate.cer