Certificate CLI Commands
Use the certificate commands to create a certificate signing request (CSR), and to install server, CA (certificate authority), or trusted path certificates on the Guardium® system.
Certification Expiration
Expired certificates will result in a loss of function. Run the show certificate warn_expire command periodically to check for expired certificates. The command displays certificates that will expire within six months and certificates that have already expired. The user interface will also inform you of certificates that will expire. To see a summary of all certificates, run the command show certificate summary.
New Certificates
To obtain a new certificate, generate a certificate signed request (CSR) and contact a third-party certificate authority (CA) such as VeriSign or Entrust. Guardium does not provide CA services and will not ship systems with different certificates than the ones that are installed by default. The certificate format must be in PEM and include BEGIN and END delimiters. The certificate can either be pasted from the console or imported through one of the standard import protocols.
create csr
Creates a Certificate Signed Request (CSR) for the Guardium system. Do not perform this action until after the system network configuration parameters are set. Within the generated CSR, the common name (CN) is created automatically from the host and domain names assigned.
create csr alias creates a certificate request with an alias.
create csr gim creates a certificate request for gim (GIM Listener).
create csr gui creates a certificate request for the tomcat.
create csr sniffer creates a certificate request for the sniffer.
Syntax
create csr <alias | gimi | gui | sniffer>
restore certificate gim
Restores the certificate gim to the last certificate gim on record or the default certificate gim that was originally provided.
restore certificate gim backup restores the gim certificate to the last saved sniffer gim certificate.
restore certificate gim default restores the gim certificate to the default gim certificate that was supplied with the system.
Syntax
restore certificate gim <backup | default>
restore certificate keystore
Restores the certificate keystore to the last certificate keystore on record or the default certificate keystore that was originally provided.
restore certificate keystore backup restores the certificate keystore to the last saved certificate keystore.
restore certificate keystore default restores the certificate keystore to the default value that was supplied with the system.
Syntax
restore certificate keystore <backup | default>
restore certificate mysql
Restores the client certificate to the last certificate on record.
restore certificate mysql backup restores the last saved mysql certificate.
Syntax
restore certificate mysql <backup>
restore certificate mysql backup client
Restores the client certificate to the last certificate on record.
restore certificate mysql backup client ca restores the last saved client certificate authority (CA) certificate.
restore certificate mysql backup client cert restores the last saved client certificate.
Syntax
restore certificate mysql backup client <ca | cert>
restore certificate mysql backup server
Restores the server certificate to the last certificate on record.
restore certificate mysql backup server ca restores the last saved server certificate authority (CA) certificate.
restore certificate mysql backup server cert restores the last saved server certificate.
Syntax
restore certificate mysql backup server <ca | cert>
restore certificate mysql default client
Restores the mysql client certificate to the default version that was supplied with the system.
restore certificate mysql default client ca restores the mysql client ca certificate to the default version that was supplied with the system.
restore certificate mysql default client cert restores the mysql client certificate to the default version that was supplied with the system.
Syntax
restore certificate mysql default client <ca | cert>
restore certificate mysql default server
Restores the mysql server certificate to the default version that was supplied with the system.
restore certificate mysql default server ca restores the mysql server ca certificate to the default version that was supplied with the system.
restore certificate mysql default server cert restores the mysql server certificate to the default version that was supplied with the system.
Syntax
restore certificate mysql default server <ca | cert>
restore certificate sniffer
Restores the certificate to the last certificate on record.
restore certificate sniffer backup restores the sniffer certificate to the last saved sniffer certificate.
restore certificate sniffer default restores the sniffer certificate to the default sniffer certificate.
Syntax
restore certificate sniffer <backup | default>
restore cert_key mysql backup
Restores the mysql client or server certificate key to the last saved value.
restore cert_key mysql backup client restores the last saved mysql client cert key.
restore cert_key mysql backup server restores the last saved mysql server cert key.
Syntax
restore cert_key mysql backup <client | server>
restore cert_key mysql default
Restores the mysql client or server certificate key to the default version that was supplied with the system.
restore cert_key mysql default client restores the default mysql client cert key that was supplied with the system.
restore cert_key mysql default server restores the default mysql server cert key that was supplied with the system.
Syntax
restore cert_key mysql default <client | server>
show certificate
Displays the summary of all certificates, certificate information, alias list, certificates in the keystore, and expired or soon-to-expire certificates.
This certificate authenticity can be verified by a Guardium CA public key (contained in the CA certificate that is distributed with the client software). This certificate has either a customer company-unique CN (Common Name - for example, acme.com, or a machine-specific CN (for example x4.acme.com). This permits any client to establish that not only does the Guardium system have a valid certification (it is a real Guardium system), but also that it is a specific Guardium system (or a set of Guardium systems) that the client is supposed to connect to.
show certificate all displays a summary of all certificates.
show certificate alias displays an alias list.
show certificate gim displays all GIM certificate information (GIM Listener).
show certificate gui displays all tomcat certificate information.
show certificate keystore displays all certificates in the keystore and an alias list for you to select which certificate to show.
show certificate mysql displays client and server mysql certificate information.
show certificate sniffer displays all sniffer certificate information.
show certificate stap displays all S-TAP certificate information in the keystore.
show certificate summary displays a summary of all certification information.
show certificate trusted displays all trusted certificate information.
show certificate warn_expired displays all expired certificates or certificates that expire in 6 months.
Syntax
show certificate <alias | all | gim | gui | keystore | mysql | sniffer | stap | summary | trusted | warn_expired >
show certificate keystore
Displays certificate information in the keystore.
show certificate keystore all displays all certificates in the keystore.
show certificate keystore alias displays an alias list for you to select which certificate to show.
Syntax
show certificate keystore <all | alias>
show certificate mysql
Displays mysql certificate information.
Parameters
show certificate mysql client shows client mysql information.
show certificate mysql server shows server mysql information.
Syntax
show certificate mysql <client | server>
store certificate
Stores a certificate. Paste your certificate in PEM format and include the BEGIN and END lines.
Parameter
store certificate alias stores a certificate in the keystore after a CSR has been generated. This CLI command supports the CLI command, create csr alias, which allows the user to create an intermediate trusted certificate from scratch. Use both of these commands to create intermediate trusted certificates. These intermediate trusted certificates can then be used to sign other certificates, if required.
store certificate gim will allow the custom gim certificate to be stored in keystore by prompting for certificate, key (optional) and CA certificate (GIM Listener).
store certificate gui stores the tomcat certificate in the keystore after a CSR has been generated.
store certificate keystore asks for a one-word alias to uniquely identify the trusted certificate and store it in the keystore.
store certificate mysql stores mysql client and server certificates.
store certificate sniffer stores sniffer certificates.
store certificate stap stores S-TAP certificates.
Syntax
store certificate <gim | gui | keystore | mysql | sniffer | stap >
store certificate mysql client
Stores a mysql client certificate.
store certificate mysql client ca stores client certificate authority (CA) certificates.
store certificate mysql client cert stores client certificates.
Syntax
store certificate mysql client <ca | cert>
store certificate mysql server
Stores a mysql server certificate.
store certificate mysql server ca stores server certificate authority (CA) certificates.
store certificate mysql server cert stores server certificates.
Syntax
store certificate mysql server <ca | cert>
store cert_key
Stores the system certificate key and the certificate key of a mysql client and server.
store cert_key mysql stores the certificate key of a mysql client and server.
store cert_key sniffer stores the sniffer certificate key.
Syntax
store cert_key <mysql | sniffer>
store cert_key mysql
Stores the certificate key of a mysql client or server.
store cert_key myself client stores the certificate key of a mysql client.
store cert_key myself server stores the certificate key of a mysql server.
Syntax
store cert_key mysql <client | server>
store cert_key sniffer
Stores the system certificate key. This command enables a user to set the system certificate that is used by the Guardium system (in communication with S-TAP®). The certificate can either be pasted from the console or imported via one of the standard import protocols. The certificate format should be PEM and should include the BEGIN and END delimiters. This certificate needs to be signed by a CA whose self-signed certificate is available to S-TAP software through the guardium_ca_path.
store cert_key sniffer console stores the sniffer certificate key by pasting the key into the console.
store cert_key sniffer import stores the sniffer certificate key by importing the key file.
Syntax
store cert_key sniffer <console | import>
Backup and Default Options
You can choose to restore certificates and certificate keys with the backup or default parameter. Use the backup parameter to restore a certificate to the last saved certificate. Use the default parameter to restore a certificate to the original certificate that Guardium supplied.
Certificate Expiration Dates and Summary Commands
Run the show certificate warn_expire command periodically. This command warns you of certificates that will expire in six months and displays a list of expired certificates. For more information, see the show certificate CLI command. To show a summary of all certificates, run the CLI command show certificate summary. Run the commands periodically to review certificate expiration dates.