Renewing expired server certificates
Follow these instructions to renew expired server certificates for the simplified setup, the regular setup, and certificate chains.
See the following topics for detailed instructions:
- Creating a server certificate
- Simplified setup: Trusting a new self-signed SKLM server certificate
- Simplified setup: Trusting a new SKLM server certificate chain
- Simplified setup: Trusting a new SKLM WebSphere Application Server certificate
- Regular setup: Trusting a new self-signed SKLM server certificate
- Trusting a new endpoint server certificate in a server certificate chain
- Regular setup: Trusting a new SKLM server certificate chain
- Trusting a new DSM server certificate chain
Creating a server certificate
The steps for creating a new server certificate to replace one that is expired are similar to the
steps for creating an initial server certificate. Follow the instructions in the documentation of
your Remote Key Manager (RKM), which must be one of the following products:
- IBM® Security Key Lifecycle Manager (SKLM)
- Thales Vormetric Data Security Manager (DSM)
Simplified setup: Trusting a new self-signed SKLM server certificate
These instructions assume that you are using the simplified setup method and that you have
created a self-signed SKLM server certificate.
The key server object is updated with the self-signed server certificate.
Simplified setup: Trusting a new SKLM server certificate chain
These instructions assume that you are using the simplified setup method and you have a
certificate chain from a CA. The certificate chain contains a renewed intermediate certificate or a
renewed root certificate. For information about obtaining a certificate chain from a CA, see the
subtopic Part 2: Configuring SKLM in Simplified setup: Using SKLM with a certificate chain.
Simplified setup: Trusting a new SKLM WebSphere Application Server certificate
These instructions assume that you are using the simplified setup method with IBM
WebSphere® Application Server and SKLM.
The IBM
Spectrum Scale client now trusts the new SKLM WebSphere Application Server certificate.
Regular setup: Trusting a new self-signed SKLM server certificate
Follow these instructions if you are using IBM
Spectrum Scale v4.1.1 or later. These instructions assume that
you are using SKLM and the regular setup method and that you have created a self-signed SKLM server
certificate.
The IBM
Spectrum Scale client now trusts the new
self-signed SKLM server certificate.
Trusting a new endpoint server certificate in a server certificate chain
These instructions assume that the certificate chain includes a root certificate that is
signed by a certificate authority (CA), zero or more intermediate certificates, and an endpoint
certificate.
Regular setup: Trusting a new SKLM server certificate chain
These instructions assume that you are using SKLM and the regular setup method and that you
have a certificate chain from a CA. The certificate chain contains a renewed intermediate
certificate or a renewed root certificate. For information about obtaining a certificate chain from
a CA, see the subtopic "Part 2: Configuring SKLM" in Regular setup: Using SKLM with a certificate chain.
The IBM
Spectrum Scale client now trusts the new
SKLM server certificate chain.
Trusting a new DSM server certificate chain
These instructions assume that you are using DSM and that you have a DSM certificate chain
that you renewed by running the
security genca
command.The IBM
Spectrum Scale client now trusts the new
self-signed DSM server certificate.