Skip to main content

sslcfg command

Use this command to display and configure the SSL for the IMM and manage certificates.

The sslcfg command is used to generate a new encryption key and self-signed certificate or certificate signing request (CSR).

Syntax:
sslcfg [-options]
Table 1. sslcfg options
OptionDescriptionValues
-serverWeb over HTTPS statusenabled, disabled
Note
  • Web over HTTPS can only be enabled if a certificate is in place.
  • Use -rm to completely disable the certificate.
-clientSecure LDAP statusenabled, disabled
Note
The SSL client can be enabled only if a valid server or client certificate is in place.
-certGenerate self-signed certificateserver, client, sysdir, storekey
Note
  • Values for the -c, -sp, -cl, -on, and -hn command options are required when generating a self-signed certificate.
  • Values for the -cp, -ea, -ou, -s, -gn, -in, and -dq command options are optional when generating a self-signed certificate.
-csrGenerate a CSRserver, client, sysdir, storekey
Note
  • Values for the -c, -sp, -cl, -on, and -hn command options are required when generating a CSR.
  • Values for the -cp, -ea, -ou, -s, -gn, -in, -dq, -cpwd, and -un command options are optional when generating a CSR.
-formFormat of the CSR or certificate that will be exported.der, pem (default pem)
-algoCSR algorithmp256, p384, rsa2048, rsa3072, rsa4096
Note
A default value (p256) will be set if there is not a -algo option.
-rmRemove the certificateserver, storekey
Note
A default self-signed certificate (server) would be generated automatically after the current one is removed.
-iIP address for TFTP/SFTP serverValid IP address
Note
An IP address for the TFTP or SFTP server must be specified when uploading a certificate, or downloading a certificate or CSR.
-pnPort number of TFTP/SFTP serverValid port number (default 69/22)
-uUser name for SFTP serverValid user name
-pwPassword for SFTP serverValid password
-lCertificate filenameValid filename
Note
A filename is required when downloading or uploading a certificate or CSR. If no filename is specified for a download, the default name for the file is used and displayed.
-dnldExports the specified file to the remote hostThis option takes no arguments; but must be used with -cert or -csr; as well as -i, and -l command options.
-upldImports certificate fileThis option takes no arguments, but must also specify values for the -cert, -i, and -l command options.
-tc[x]Trusted certificate x for SSL clientimport, download, remove
Note
The trusted certificate number, x, is specified as an integer from 1 to 4 in the command option.
Required options for generating a self-signed certificate or CSR
Note
Required when generating a self-signed certificate or CSR.
-cCountryCountry code (2 letters)
-spState or provinceQuote-delimited string (maximum 60 characters)
-clCity or localityQuote-delimited string (maximum 50 characters)
-onOrganization nameQuote-delimited string (maximum 60 characters)
-hnBMC host nameString (maximum 60 characters)
Optional options for generating a self-signed certificate or CSR
Note
Optional when generating a self-signed certificate or CSR.
-cpContact personQuote-delimited string (maximum 60 characters)
-eaContact person email addressValid email address (maximum 60 characters)
-ouOrganizational unitQuote-delimited string (maximum 60 characters)
-sSurnameQuote-delimited string (maximum 60 characters)
-gnGiven nameQuote-delimited string (maximum 60 characters)
-inInitialsQuote-delimited string (maximum 20 characters)
-dqDomain name qualifierQuote-delimited string (maximum 60 characters)
Optional options for generating a CSR
Note
Optional when generating a CSR.
-cpwdChallenge passwordString (minimum 6 characters, maximum 30 characters)
-unUnstructured nameQuote-delimited string (maximum 60 characters)
Examples:
system> sslcfg
-server enabled
-client disabled
-sysdir enabled
SSL Server Certificate status:
 A self-signed certificate is installed
SSL Client Certificate status:
 A self-signed certificate is installed
SSL Client Trusted Certificate status:
 Trusted Certificate 1: Not available
 Trusted Certificate 2: Not available
 Trusted Certificate 3: Not available
 Trusted Certificate 4: Not available

Client certificate examples:

  • To generate a CSR for a storage key, enter the following command:
    system> sslcfg -csr storekey -c US -sp NC -cl rtp -on LNV -hn XCC-5cf3fc -cp Contact -ea "" -ou""
    ok
  • To download a certificate from the IMM to another server, enter the following command:
    system> sslcfg -csr storekey -dnld -i 192.168.70.230 -l storekey.csr
    ok
  • To upload the certificate processed by the Certificate Authority (CA), enter the following command:
    system> sslcfg -cert storekey -upld -i 192.168.70.230 -l tklm.der
  • To generate a self-signed certificate, enter the following command:
    system> sslcfg -cert storekey -c US -sp NC -cl rtp -on LNV -hn XCC-5cf3fc -cp Contact -ea "" -ou "
    ok

SKLM Server certificate example:

  • To import the SKLM server certificate, enter the following command:
    system> storekeycfg -add -ip 192.168.70.200 -f tklm-server.der
    ok