CREATE CERTIFICATE (Create a new TLS certificate)

Edit online

Use this command to create a new self-signed TLS certificate in the server certificate keystore, cert.kdb, and to export the new certificate’s public key to a file in the server instance directory.

Privilege class

To issue this command, you must have system privilege.

Syntax

Read syntax diagramSkip visual syntax diagram Create CERTificate certificate_label
Read syntax diagramSkip visual syntax diagramTODate=TODAY+3650TODate=mm/dd/yyyyTodayTodayEOLMBOTM+days
Read syntax diagramSkip visual syntax diagram DEFault=NoDEFault=NoYes

Parameters

certificate_label (Required)

Specifies the label that is used to identify the certificate in the server certificate keystore. The label is also used to form the name of the exported public key that is stored in the server instance directory by appending the “.arm” suffix to the label.

The label must be enclosed in quotation marks if it contains any blank spaces or equal signs.

TODate

Specifies the date when the new certificate expires. The specified date must be in the future. The default is 3650 days (approximately 10 years) after the date the CREATE CERTIFICATE command is run. You can specify the date by using one of the following values:

Value Description Example
MM/DD/YYYY A specific date 12/31/2045
TODAY+days or +days The current date plus the number of days specified. The maximum number of days that you can specify is 9999. TODAY+3650 or +3650
EOLM+days

The last day of the previous month plus the specified number of days.

 EOLM+365
BOTM+days

The first day of the current month plus the number of specified days.

 BOTM+365
DEFault
Specifies whether to mark the new certificate as the default certificate in the server certificate keystore. Possible values are:
No
Do not mark the certificate as the default. This is the default.
Yes
Mark the certificate as the default. If command approval is enabled, additional approvals are required to specify this value. For more information, see SET COMMANDAPPROVAL (Specifies whether command approval is required).

Example: Create a new self-signed TLS certificate with default expiration date

Create a new self-signed TLS certificate. Include the date of creation in the label to differentiate it from the server’s original certificate.

CREATE CERTIFICATE "TSM Server SelfSigned SHA Key – 2023-05-17”

Example: Create a new self-signed TLS certificate that expires at the end of 2024

Create a new self-signed certificate with label CertFor2024, and specify an expiration date of December 31, 2024.

CREATE CERTIFICATE “CertFor2024” todate=12/31/2024

Related commands

Table 1. Commands related to CREATE CERTIFICATE
Command Description
SET DEFAULTTLSCERT Mark a TLS certificate as the default
SET COMMANDAPPROVAL Specifies whether command approval is required.