Certificate CLI Commands

Use the certificate commands to create a certificate signing request (CSR), and to install server certificates, CA (certificate authority) certificates, or trusted path certificates on the Guardium® system.

Note: Guardium does not provide certificate authority (CA) services and does not deliver systems with different certificates than the one installed by default. If you want your site to have its own certificate, you must contact a third-party CA (such as VeriSign or Entrust).

Certification Expiration

Expired certificates result in a loss of function. Run the show certificate warn_expire command periodically to check for expired certificates. The command displays certificates that expire within six months and already-expired certificates. The user interface also informs you of certificates that are due to expire. To see a summary of all certificates, run the command show certificate summary.

New Certificates

To obtain a new certificate, generate a certificate signed request (CSR) and contact a third-party certificate authority (CA) such as VeriSign or Entrust. Guardium does not provide CA services and does not ship systems with different certificates than the ones that are installed by default. The certificate format must be in PEM and include BEGIN and END delimiters. You can either paste the certificate from the console or import it through one of the standard import protocols.

Note: Do not create the CSR until after the system network configuration parameters are set.

create csr

Creates a certificate signing request (CSR) for the Guardium system. Do not create the CSR until after the system network configuration parameters are set. Within the generated CSR, the common name (CN) is created automatically from the host and domain names assigned.

Note: Where indicated, specify the rfc7468 parameter to generate a CSR that conforms to RFC 7468 formatting. Some CAs, such as the Amazon Web Services (AWS) CA, require RFC 7468 format. Check with your CA to determine whether RFC7468 formatting is accepted or required.
Note: The following CLI commands support the subject alternative name (SAN): create csr alias, create csr external_stap, create csr gim, and create csr gui. There are 100 SAN slots for each CSR generation command. 99 of the SANs are optional and can be added in FQDN (Fully Qualified Domain Name) format. The first SAN slot is reserved for the common name.

Parameters

create csr alias [rfc7468]

Creates a certificate signing request CSR for a supplied alias.

create csr external_stap [rfc7468]

Creates a CSR for a Guardium External S-TAP® Docker container. After a certificate is signed and stored, you can deploy the External S-TAP to monitor traffic from databases in the cloud or in other situations in which you cannot use a local agent.

Note: As of Guardium V11.0, the create csr gim client and create csr gim server CLI commands replace create csr gim.

create csr gim client [rfc7468]

Creates a CSR with the alias gim in the GIM client keystore. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.

create csr gim server [rfc7468]

Creates a CSR with alias gim for the GIM server certificate. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.

create csr gui

Creates a CSR for the GUI.

create csr gui [custom-dn | rfc7468]

Where:
  • custom-dn - Creates a CSR for the GUI with a custom distinguished name (DN). The DN is a name that uniquely identifies an entry and includes a slash-separated (/) string of identifiers. For example:
    /C=US/OU=Guardium Appliances/OU=Example/CN=mycompany.com

    The DN must be ASCII-encoded and end with a CN (common name) entry.

  • rfc7468 - Creates a CSR for the GUI with RFC7468 formatting.

create csr insights

Creates a CSR for IBM® Guardium Insights.

create csr mysql

Creates a CSR for a MySQL certificate.

create csr saml

Creates a CSR for SAML certificates.

create csr sniffer

Creates a CSR for sniffer.

create csr sniffer custom-dn

Creates a CSR for sniffer with a custom distinguished name (DN). The DN is a name that uniquely identifies an entry and includes a slash-separated (/) string of identifiers. For example,
/C=US/OU=Guardium Appliances/OU=Example/CN=mycompany.com

The DN must be ASCII-encoded and end with a CN (common name) entry.

create csr wildcard [rfc7468]

Generates a wildcard CSR certificate. For example, if your site has machines that are named nyc.yourdomain.com, la.yourdomain.com, and tokyo.yourdomain.com, use a wildcard certificate to specify the hostname with an asterisk (*) wildcard. The wildcard creates a certificate that is valid for all three machines. For example, *.yourdomain.com.

To generate a CSR (Certificate Signing Request) wildcard certificate:
  1. On the central manager (in a managed environment), run the create csr wildcard command.
  2. Copy the CSR into a file and get it signed by a CA.
  3. Store the signed certificate by using the store certificate gui CLI command. The certificate must be in PEM format in order to import it into the Guardium appliance. Make sure that you have the root CA available.
  4. In a centrally managed environment, add the certificate to each managed unit,
    1. Store the root CA by running the store certificate keystore CLI command on the managed unit that uses the same root CA as you used for the central manager.
    2. Store both the certificate and the private key with the store certificate privatekey gui command with the same wildcard certificate that you used for the central manager.
      Note: Use the show csr wildcard CLI command to view the privatekey.
Note: The Common Name for wildcard certificates must always start with an asterisk.

Syntax

  • create csr alias [rfc7468]
  • create csr external_stap [rfc7468]
  • create csr gim [client | server] [rfc7468]
  • create csr gui [custom-dn | rfc7468]
  • create csr insights
  • create csr mysql
  • create csr saml
  • create csr sniffer [custom-dn]
  • create csr wildcard [rfc7468]

Show command

show csr wildcard key

create self-signed gui

Use this command to manually create a self-signed certificate that uses the fully qualified domain name (FQDN) of the Guardium system. Before you use this command, set the hostname and domain name.

Syntax

create self-signed gui <force>

The parameter force creates a new self-signed certificate even if a certificate exists on the Guardium system. Nondefault certificates are removed.

delete certificate

Use this command to remove SSL certificates that are expired or revoked.

Note: Use caution when you delete certificates. If a GUI certificate is deleted in error, you cannot connect to the GUI until the certificate is restored.

For more information about restoring certificates, see restore certificate keystore.

Parameters

Syntax

delete certificate <external_stap | external_stap_signing | keystore>
Where:
  • external_stap displays all of the available certificates for the External S-TAP.
  • external_stap_signing displays aliases of all available intermediate certificates for External S-TAP and prompts you to select the certificate to delete.
  • keystore displays all certificates in the certificate keystore.

When prompted, select the number of the certificate to delete. To delete more than one certificate, enter a comma-separated list of the certificate numbers.

distribute certificate showlog

Use this command to view the certificate distribution log.

Syntax

distribute certificate showlog <all | fail | success>
where:
  • all displays all the lines in the distribution log.
  • fail displays the lines with failures and warnings only.

  • success displays the lines with success only.

replace certificate

12.1 and later Replaces the GIM certificates that is installed by default with SHA1 or SHA256. The GIM client and the server do not lose communication.

replace certificate gim algorithm

USAGE:replace certificate gim algorithm < default | default_sha1 >, where 'default' represents SHA256 and 'default_sha1' represents SHA1 signature algorithm.

restore certificate

Parameters

restore certificate insights <default | last>

Restores the Guardium Insights certificate to either the default certificate keystore or to the last saved certificate keystore.

restore certificate keystore <backup | default>

Restores the certificate keystore to the last certificate keystore on record or the default certificate keystore that was originally provided.

  • restore certificate keystore backup

    Restores the certificate keystore to the last saved certificate keystore.

  • restore certificate keystore default

    Restores the certificate keystore to the default value that was supplied with the system.

restore certificate mysql backup <client <ca|cert> | server <ca|cert> >

Restores the last saved MySQL certificate. Specify which certificate you want to restore; the client or server certificate and the certificate authority (CA) or client certificate.
  • restore certificate mysql backup client ca

    Restores the last saved client certificate authority (CA) certificate.

  • restore certificate mysql backup client cert

    Restores the last saved client certificate.

  • restore certificate mysql backup server ca

    Restores the last saved server certificate authority (CA) certificate.

  • restore certificate mysql backup server cert

    Restores the last saved server certificate.

restore certificate sniffer <backup | default>

Restores the certificate to either the last saved sniffer certificate (the backup) or the default certificate.

Syntax
  • restore certificate insights < default | last >
  • restore certificate keystore <backup | default>
  • restore certificate mysql backup <client | server> <ca | cert>
  • restore certificate sniffer <backup | default>

restore cert_key

restore cert_key mysql backup <client | server>

Restores the MySQL client or server certificate key to the last saved value.

restore cert_key sniffer <backup | default>

12.0 This command is deprecated in Guardium 12.1.

Restores the sniffer certificate key to the last saved certificate key (backup) or the default sniffer certificate key.

Syntax

restore cert_key mysql backup <client | server>

restore cert_key sniffer <backup | default>

show certificate

Displays the summary of all certificates, certificate information, alias list, certificates in the keystore, and expired or soon-to-expire certificates.

This certificate authenticity can be verified by a Guardium CA public key (contained in the CA certificate that is distributed with the client software). The certificate has either a customer company-unique CN (Common Name - for example, acme.com), or a machine-specific CN (for example x4.acme.com). This permits any client to establish that the Guardium system has a valid certification (it is a real Guardium system), but also that it is a specific Guardium system (or a set of Guardium systems) that the client is supposed to connect to.

Parameters

show certificate all

Displays all the certificates on the Guardium appliance.

show certificate external_stap

Displays a summary of External S-TAP certificates, including certificate information, alias, certificates in the keystore, and expired or soon-to-expire certificates.

show certificate external_stap_signing

Displays a summary of External S-TAP intermediate certificates, including certificate information, alias names, certificates in the keystore, and expiration information.

show certificate gim client

Displays the GIM client certificate or certificates.

show certificate gim server

Displays the GIM server certificate.

show certificate gui

Displays the GUI certificate.

show certificate insights

Displays all Guardium Insights certificates that are stored in the Guardium Insights keystore

show certificate keystore alias

Displays a list of certificates. Select a certificate from the list to display its alias.

show certificate keystore all

Displays all the certificates in the Guardium keystore.

show certificate mysql client

Displays the MySQL client certificate.

show certificate mysql server

Displays the MySQL server certificate.

show certificate saml

Displays the SAML certificate.

show certificate sniffer

Displays the sniffer certificate.

show certificate starttls

Displays an existing starttls certificate.

show certificate squid

show certificate summary

Displays a summary of all certificates on the Guardium appliance.

show certificate trusted

Displays all trusted certificate information.

show certificate warn_expired

Displays all expired certificates or certificates that expire in 6 months.

show certificate wkc

Displays the certificate that is required for IBM Knowledge Catalog integration.

Syntax
  • show certificate all
  • show certificate external_stap
  • show certificate external_stap_signing
  • show certificate gim <client | server>
  • show certificate gui
  • show certificate insights
  • show certificate keystore <alias | all>
  • show certificate mysql <client | server>
  • store certificate saml
  • show certificate sniffer
  • show certificate starttls
  • show certificate summary
  • show certificate trusted
  • show certificate warn_expired
  • show certificate wkc

store certificate

Stores a certificate. Follow the directions to paste your certificate (in PEM format) and include the BEGIN and END lines.

All certificates except for GIM client and GIM server are merged into the main keystore during the store certificate operation.

Note: Where [console | external] is specified, use console to paste the content to the console; use external to import a certificate located externally. The default is console.

Parameters

store certificate allowlist_external_stap

For the External S-TAP, stores trusted certificates. For more information, see Client and server certificate verification.

store certificate blocklist_external_stap

For the External S-TAP, store certificates that you know cannot be trusted. For more information, see Client and server certificate verification.

store certificate cms

For managing GUI and GIM certificates by using the Venafi certificate management system. For more information, see Managing certificates by using Venafi.

store certificate custom_keystore_external_stap

Store certificates in the custom keystore to verify that the External S-TAP communicates only with trusted clients and servers. For more information, see Client and server certificate verification.

store certificate external_stap

Stores the signed External S-TAP certificate into the corresponding keystore. For more information, see External S-TAP.

store certificate external_stap_signing

Stores the signed intermediate External S-TAP certificate into the corresponding keystore. For more information, see External S-TAP.

store certificate gim client [auto-generate|console|external]

Stores the signed GIM client certificate into the corresponding keystore and prepares it for distribution. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution. Unlike all other certificates, storing the GIM client certificate does not affect the main keystore. Instead, the GIM client keystore is saved in a custom keystore that can be distributed to registered GIM clients.

Use auto-generate to generate and distribute selected GIM client certificates. You can generate only SHA-1 certificates. You do not need to use this command to generate SHA-256 certificates.

store certificate gim server [console|external]

Stores the signed GIM server certificate into the keystore. Used for centralized GIM certificate distribution. See Manage GIM certificate distribution.

store certificate gui

Stores a GUI certificate in the keystore.

store certificate insights [console | external | trusted]

Stores a Guardium Insights certificate in the keystore, where:
  • console - Paste the certificate to the console.
  • external - Import an externally generated certificate.
  • trusted - Paste a trusted CA certificate to the console.

store certificate keystore_external_stap

Stores root and intermediate trusted certificates, which are used to sign External S-TAP certificates.

store certificate keystore [alias | trusted | trusted-venafi] [console|external]

Store certificates on the keystore. You can store the certificate alias, a trusted certificate, or a trusted Venafi certificate. Specify trusted to store CA certificates for TLS validation.

store certificate mysql

Stores MySQL client and server certificates. For both client and server certificates, specify Specify ca to store certificate authority (CA) certificates. Specify cert to store client or server default certificates.

  • store certificate mysql client <ca|cert> [console|external]

    Stores MySQL client certificates.

  • store certificate mysql server <ca|cert> [console|external]

    Stores MySQL server certificates.

Storing certificates with private key

The following commands overwrite self-signed GUI, GIM, and Insights certificates with private keys in the keystore.

Note:

Certificates and private keys must be in PEM format.

Certificates start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----"

Private keys start with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"

PEM certificates can also be imported by using the GUI. For more information, see Importing a PEM certificate.

store certificate privatekey gim [console | external]

Stores GIM self-signed certificate and private key in the keystore.

store certificate privatekey gui [console | external]

Stores GUI self-signed certificate and private key in the keystore.

Stores a Guardium Insights self-signed certificate and private key in the keystore.
Note: You must restart the Guardium Insights agent.

store certificate rsa_securid console

Stores a certificate for RSA SecurID multi-factor authentication. The certificate verifies the RSA SecurID Authentication Manager. Run this command on a central manager. SSH authentication is required for SSH logins with RSA SecurID. The certificate must be in PEM format.

After you store the certificate, use the configure_mfa API command to configure multi-factor authentication from the CLI.
Note: From configure_mfa, make sure that you set the sslVerify parameter to true. If sslVerify is not set to true, the GUI and SET_GUIUSER logins does not use the certificate, and for SSH logins, the configure_mfa API command fails.

For more information, see Configuring multi-factor authentication with RSA SecurID.

store certificate saml

Stores SAML certificates.

store certificate scanner ca_bundle <agent>

Stores the certificate for the CVE scanner agent. For more information, see Configuring vulnerability scanner agents.

store certificate sniffer

Stores sniffer certificates.

store certificate starttls [console | external]

Store a trusted certificate in the keystore to support an encrypted TLS connection.

store certificate wkc [console | external]

Required for the Guardium and IBM Knowledge Catalog integration. Use this command to store the IBM Cloud Pak® for Data root CA certificate, which is required to connect to your IBM Knowledge Catalog environment.
Important: The Cloud Pak for Data installation includes a self-signed certificate. Do not use the self-signed certificate in a production environment. Acquire and install a CA-signed certificate for production use.
For more information about obtaining and using a Cloud Pak for Data certificate, see Using a custom TLS certificate for HTTPS connections to the platform in the IBM Cloud Pak for Data documentation.
For more information about using the IBM Knowledge Catalog integration, see Integrating with IBM Knowledge Catalog for federated data protection and store wkc_configuration.
Note: This command is available only on managed units and stand-alone machines.
Syntax
  • store certificate allowlist_external_stap
  • store certificate blocklist_external_stap
  • store certificate cms
  • store certificate custom_keystore_external_stap
  • store certificate external_stap
  • store certificate external_stap_signing
  • store certificate gim client [auto-generate|console|external]
  • store certificate gim server [console|external]
  • store certificate insights [console|external|trusted]
  • store certificate keystore <alias | trusted> [console|external]
  • store certificate keystore_external_stap
  • store certificate mysql client <ca|cert> [console|external]
  • store certificate mysql server <ca|cert> [console|external]
  • store certificate privatekey <gim | gui > [console|external]
  • store certificate rsa_securid console
  • store certificate saml
  • store certificate scanner ca_bundle
  • store certificate sniffer
  • store certificate starttls [console | external]
  • store certificate wkc [console | external]

store cert_key mysql

Stores the certificate key of a MySQL client or server. Specify console to paste the key into the console. Specify to import the key file from an external source.Specify to import the key file from an external source.

Parameters

Use the following parameters to store the certificate key of a MySQL client:

store cert_key mysql client [console|external]

Use the following parameters to store the certificate key of a MySQL server:

store cert_key mysql server [console|external]

store cert_key sniffer

12.0 This command is deprecated in Guardium 12.1.

If the certificate signing request (CSR) is not generated in the Guardium appliance, the store cert_key sniffer command prompts you to enter the key to store the certificate.

Stores the system certificate key. This command enables a user to set the system certificate that is used by the Guardium system (in communication with S-TAP). The certificate can either be pasted from the console or imported through one of the standard import protocols. Use the PEM certificate format and include the BEGIN and END delimiters. This certificate needs to be signed by a CA whose self-signed certificate is available to S-TAP software through the guardium_ca_path.

Parameters

store cert_key sniffer console

Stores the sniffer certificate key by pasting the key into the console.

store cert_key sniffer external

Stores the sniffer certificate key by importing the key file from an external source.

Syntax

store cert_key sniffer <console | external>

Backup and Default Options

You can choose to restore certificates and certificate keys with the backup or default parameter. Use the backup parameter to restore a certificate to the last saved certificate. Use the default parameter to restore a certificate to the original certificate that Guardium supplied.

Certificate Expiration Dates and Summary Commands

Run the show certificate warn_expire command periodically. This command warns you of certificates that expire in six months and displays a list of expired certificates. For more information, see the show certificate CLI command. To show a summary of all certificates, run the CLI command show certificate summary. Run the commands periodically to review certificate expiration dates.