sslcfg command
This command sets and displays the Secure Sockets Layer (SSL) status of the CMM.
- When the CMM is set to
Secure
security mode, only secure file transfer methods, such as HTTPS and SFTP, can be used for tasks involving file transfer when the CMM is acting as a server. Unsecure file transfer protocols, such as HTTP, FTP, and TFTP, are disabled when the CMM is acting as a server when the security mode is set toSecure
. Unsecure file transfer protocols remain available for a CMM acting as a client for all commands when the security mode is set toSecure
. - For information about how to specify a URL for file transfer, see Specifying a URL for file transfer.
- SHA256 certificates are not supported for external LDAP servers.
If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or sslcfg command errors for a list of error messages that are specific to the sslcfg command.
Function | What it does | Command | Target (see paths in Command targets) |
---|---|---|---|
Display CMM SSL status | Displays the SSL status of the specified CMM. This status includes information about SSL certificates. | sslcfg | Primary CMM:
|
Set SSL (secure LDAP) state for LDAP client | Enables or disables SSL (secure LDAP) for the LDAP client. Note
| sslcfg -client state where state is enabled or disabled . This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Set SSL state for HTTPS server | Enables or disables the HTTPS server. Note The HTTPS server can be enabled if a certificate is in place. | sslcfg -server state where state is enabled or disabled . This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
View self-signed certificate | Views a certificate authority self-signed root certificate for the CMM. | sslcfg -view ca | Primary CMM:
|
Generate self-signed certificate | Generates a self-signed certificate for the chassis certificate authority. Note
| sslcfg -gen ca -csa type where the optional certificate type is:
This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Generate CSR | Generates a certificate signing request (CSR) for the CMM HTTPS server or LDAP client. The following values must be set when generating a CSR:
The following optional values can be set when generating a CSR:
| sslcfg -gen csr -c country -sp "state"-cl "city"-on "org"-hn hostname -cp "name"-ea email-ou "org_unit"-s "surname" -gn "given_name"-in "initial"-dq "dn_qualifier"-cpwd password-un "un_name" -t target where the following required options are:
where the following optional options are:
(continued on next page) | Primary CMM:
|
Generate CSR (continued) |
Note Arguments that must be quote-delimited are shown in quotation marks. This command can only be run by users who have one or more of the following command authorities:
| ||
Download CA self-signed root certificate file | Downloads the specified CA self-signed root certificate file. The location of the CA self-signed root certificate file, including IP address of the server for downloading and filename, and must be set using the -u command option. Note To successfully download and import a CA certificate into an external LDAP server trust store, make sure that secure LDAP is enabled using the | sslcfg -dnld ca -u URL where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Download certificate or CSR file of specified format | Downloads the specified certificate file, specifying the certificate file format. The location of the certificate or CSR file, including IP address of the server for downloading and filename, and must be set using the -u command option. Note If the certificate or CSR file format is not specified using the | sslcfg -dnld cert_type-f format-u URL -t target where:
This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Import (upload) trusted certificate 1 | Import (upload) trusted certificate 1 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option. | sslcfg -tc1 import -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Import (upload) trusted certificate 2 | Import (upload) trusted certificate 2 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option. | sslcfg -tc2 import -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Import (upload) trusted certificate 3 | Import (upload) trusted certificate 3 for the LDAP client. The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option. | sslcfg -tc3 import -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Export (download) trusted certificate 1 | Downloads (exports) trusted certificate 1 for the LDAP client. The location of the trusted certificate 1 file, including IP address of the server for downloading and filename, and must be set using the -u command option. | sslcfg -tc1 download -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Export (download) trusted certificate 2 | Downloads (exports) trusted certificate 2 for the LDAP client. The location of the trusted certificate 2 file, including IP address of the server for downloading and filename, and must be set using the -u command option. | sslcfg -tc2 download -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Export (download) trusted certificate 3 | Downloads (exports) trusted certificate 3 for the LDAP client. The location of the trusted certificate 3 file, including IP address of the server for downloading and filename, and must be set using the -u command option. | sslcfg -tc3 download -u URL -t client where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located. Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Remove trusted certificate 1 | Removes trusted certificate 1 from the LDAP client. | sslcfg -tc1 remove -t client Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Remove trusted certificate 2 | Removes trusted certificate 2 from the LDAP client. | sslcfg -tc2 remove -t client Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Remove trusted certificate 3 | Removes trusted certificate 3 from the LDAP client. | sslcfg -tc3 remove -t client Note The This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
Import (upload) certificate | Import (upload) certificate for the CMM HTTPS server or LDAP client. The upload location of the certificate file, including IP address and filename, an must be set using the -u command option. | sslcfg -upld -u URL -t target where:
This command can only be run by users who have one or more of the following command authorities:
| Primary CMM:
|
sslcfg
sslcfg -gen csr -c us -sp "nc" -cl "cary" -on "lenovo" -hn hostname -t server
The following example shows the information that is returned from these commands:
system:mm[1]> sslcfg
-server enabled
-client enabled
Certificate Authority certificate status:
A Root certificate is installed <span className="ph">(rsa2048sha1)</span>
SSL Server Certificate status:
A self-signed certificate is installed
SSL Client Certificate status:
No certificate has been generated
SSL Client Trusted Certificate status:
Trusted Certificate 1: Available
Trusted Certificate 2: Not available
Trusted Certificate 3: Not available
system:mm[1]>
system:mm[1]> sslcfg -gen csr -c us -sp "nc" -cl "cary" -on "lenovo" -hn hostname -t server
Certificate Signing Request (CSR) is ready for downloading.
To get the CSR, use the download CSR command. You can then send
it to a CA for signing.
OK
system:mm[1]>