Skip to main content

Replacing SSL certificates

All SSL certificates have an expiration date. You must update your certificates before they expire to prevent loss of access to authentication keys.

Before you begin

  • You must have obtained the replacement public and private certificates for the cluster.
  • You must have obtained the replacement public certificate for the KMIP server.
  • You must be a cluster or SVM administrator to perform this task.
Note
You can install the replacement client and server certificates on the KMIP server before or after installing the certificates on the cluster.
  1. Install the new KMIP server-ca certificate:security certificate install -type server-ca -vserver <>
  2. Install the new KMIP client certificate: security certificate install -type client -vserver <>
  3. Update the key manager configuration to use the newly installed certificates: security key-manager external modify -vserver <> -client-cert <> -server-ca-certs <>
    Note
    Updating the key manager configuration to use the newly installed certificates will return an error if the public/private keys of the new client certificate are different from the keys previously configured. Contact Lenovo support for instructions on how to override this error.