Updating an internally signed certificate

You can create an internally signed certificate for the system by using the management GUI or command-line interface (CLI).

Note: Before updating the certificates, keep the following factors into consideration:
  • Updating the certificate logs you out of the current management GUI session, requiring a fresh login. For features that support chain of trust checking, the secure connection is not interrupted when updating the internally signed certificate.
  • IBM® Security Guardium® Key Lifecycle Manager key servers do not currently support chain of trust checking with IBM Storage Virtualize. The new internally signed certificate must be exported to the key servers to re-establish a secure connection.
  • If you are using IBM Security Verify multifactor authentication, users who are required to use multifactor authentication cannot log in to the management GUI after the certificate is renewed. The new internally signed certificate must be exported using the CLI and added as a new signer certificate to IBM Security Verify for successful authentication.

Using the management GUI

To configure an internally-signed certificate, complete these steps:
  1. If the root certificate has not already been exported, export the root certificate to other systems, web browsers, and devices that require secure communications with the system. For more information, see Export certificates.
  2. In the management GUI, select Settings > Security > System Certificates.
  3. On the System Certificate page, the current certificate details are displayed.
    Note: The system does not support the creation of new self-signed certificates. If you currently use a self-signed certificate you can continue to use it until it expires, or generate an internally signed certificate or an externally signed certificate.
    Automatic renewal of the system certificate

    The system certificate can be renewed automatically if it is signed by the system root CA. Turn automatic renewal on by going to Settings > Security > System Certificates and setting automatic renewal to On. The default validity period of the system certificate is one year. If automatic renewal is On, the system certificate is renewed thirty days before the expiry date. If the validity period of the system certificate is fewer than thirty days, then the certificate will be renewed every eight hours.

    The renewed certificate contains all of the same field values, key type and validity period details as the previous certificate.

  4. From the icon menu, select Update Certificate.
  5. Select Internally Signed Certificate for the certificate type.
  6. If you are already using certificates, the Certificate Details are automatically populated. You can update any of the following details:
    Key type
    Select the cryptographic key type that is used to generate the certificate.
    Validity days
    Enter the number of days the certificate is valid for. The maximum number of days that are allowed is 9000.
    Country
    Enter the two-letter country code or location, for example, 01 for US.
    State
    Enter the name of the state where the system requesting the certificate is located.
    City
    Enter the name of the city where the system is located.
    Organization name
    Enter the name of the organization.
    Organizational unit
    Enter the name of organizational unit.
    Common name
    Enter the common name for the certificate.
    Subject alternative name
    Subject alternative name is the hostname of the system.

    Web browsers, and other features that use certificate authentication, require a Subject Alternative Name, which is an extension to the Internet standard for public key certificates. The Subject Alternative Name extension is used to match the domain name and site certificate and can be an email address, an IP address, a URI, or a DNS name. A certificate can contain a collection of these values so that the certificate can be used on multiple sites.

    The Subject Alternative Name field can include the management IP addresses for the cluster or DNS names, the service IP addresses for each node in the cluster or DNS names, and any IP addresses configured for IP replication.

    For example, if the system has a management DNS name of cluster.company.com, and service DNS names of node1.company.com and node2.company.com, enter these values in the Subject Alternate Name field. For multiple values, list each value on a separate line within the box of the Subject Alternate Name field:
    DNS:cluster.company.com 
DNS:node1.company.com 
DNS:node2.company.com 
IP:196.192.0.20
    Email Address
    Enter the email address.
  7. Click Update. The certificate is updated in the main panel.

  8. If using IBM Security Guardium Key Lifecycle Manager which does not currently support chain of trust checking, export the new system certificate and install it on the key servers.

    If using multifactor authentication with IBM Security Verify which uses the system certificate as a signer certificate, export the new system certificate and install it as a signer certificate in IBM Security Verify. The management GUI is unavailable until the new certificate is added, so the CLI must be used to export the new certificate.

Using the command-line interface (CLI)

Use the following steps to generate an internally signed certificate in the command-line interface.

To generate an internally signed certificate that uses RSA 2048 key type and expires in one year, enter the following command: 
chsystemcert -mksystemsigned -commonname virtualize -country GB -locality Manchester -org IBM -orgunit Systems -email certificates@support.ibm.com -keytype rsa2048 -validity 365 -subjectalternativename "DNS:test.ibm.com"
After the internally signed certificate is created, it is automatically installed on the system.
Note: You must use the -subjectalternativename parameter to include the management hostname or IP address.
For example, to add a DNS name to the Subject Alternative Name extension, include the following parameter in the chsystemcert CLI command: -subjectalternativename "DNS:dns.mysystem.com" For multiple values, use a recommended delimiter to separate each entry for the -subjectalternativename parameter.
Delimiters can be mixed:
Table 1. Recommended delimiters
Delimiter Name Symbol Example
Space (space) -subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com email:support@myco.com"
Comma (,) -subjectalternativename "DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com"
Semi-colon (;) -subjectalternativename "DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com"
Newline (for Linux® or UNIX operating systems) (\n) -subjectalternativename "DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com"
Tab (for Linux or UNIX operating systems) (\t) -subjectalternativename "DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com"
Carriage return (for Windows operating systems) (\r) -subjectalternativename "DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com"
Carriage return with newline (for Windows operating systems) (\r\n) -subjectalternativename "DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com"
For more information about supported delimiters, see the chsystemcert CLI command.