Examples
The following example shows how to clear out old certificates from the /opt/cmx/srv/certs directory.
[root@server]#
cmxctl config certs clear
Clear Certificates
The following example shows how to select key type ECDSA:
[root@server]#
cmxctl config certs keytype
Please enter key type [RSA / ECDSA] [RSA]:ECDSA
Keytype is set to ECDSA.
The following example shows how to generate new self-signed certification files in the /opt/cmx/srv/certs directory using an RSA key:
[root@server]#
cmxctl config certs installnewcerts
Keytype is RSA, generating RSA key with length 4096
Generating RSA private key, 4096 bit long modulus
.......................
...............................
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
..............................................
..........................
e is 65537 (0x10001)
Signature ok
subject=/C=US/ST=CA/L=San Jose/O=MSE/CN=ServerCrt
Getting CA Private Key
Certificates are valid.
The following example shows how to create a new certificate signing request (CSR):
[root@server]#
cmxctl config certs createcsr
Keytype is RSA, so generating RSA key with length 4096
Generating RSA private key, 4096 bit long modulus
...........
........
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: CA
Locality Name (eg, city) []: San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Yourco, Inc.
Organizational Unit Name (eg, section) []: Gulag 10
Common Name (e.g. server FQDN or YOUR name) []: Wireless
Email Address []:email@yourco.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The CSR is in: /opt/cmx/srv/certs
The Private key is in: /opt/cmx/srv/certs
CSR created successfully.
Sometimes two or more files need to be combined (or concatenated) before you can import the resulting file. For example, you may have intermediate CA certificates as well as root certs.
This example shows how to concatenate the files root-ca-cert.pem and intermediate-ca-cert.pem, and import the resulting file
to CMX.
-
Concatenate the files:
[root@server]#
cat root-ca-cert.pem intermediate-ca-cert.pem > ca-chain.pem
-
Import the new file ca-chain.pem :
[root@server]#
cmxctl config certs importcacerts ca-chain.pem
Importing CA certificate.....
Enter Export Password: caexportpw
Verifying - Enter Export Password: caexportpw
Enter Import Password: caimportpw
Import CA Certificate successful
0
The importservercert command requires you to combine the server key and the server certificate into one pem file. The following example shows
how to combine the files and import the resulting file.
Note |
Import CA chain certificates before importing the server certificate.
|
-
Concatenate the files:
[root@server]#
cat cmxserverkey.pem signed-cert.pem > server-key-cert.pem
-
Import the new file server-key-cert.pem :
[root@server]#
cmxctl config certs importservercerts server-key-cert.pem
Importing Server certificate.....
Successfully transferred the file
At the prompts, provide an export and import password specific to this command.
Enter Export Password: svrexportpw
Verifying - Enter Export Password: svrexportpw
Enter Import Password: svrimportpw
Private key present in the file: /home/cmxadmin/server-key-cert.pem
Enter Import Password: svrimportpw
verifying SAN
Validation is Successful
Import Server Certificate successful
No CRL found
Restart CMX services for the changes to take effect.
0
The following example shows how to display the details of the server certificate and all CA chain certificates:
[root@server]#
cmxctl config certs show
Certificate details
************************* Certificate Listing ********************
====================================================================
*********************** CA Certificate(s) ************************
====================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b6:c0:fc:05:f6:27:45:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=San Jose, O=MSE, CN=RootCA
Validity
Not Before: Jan 19 05:17:33 2018 GMT
Not After : Jan 18 05:17:33 2021 GMT
Subject: C=US, ST=CA, L=San Jose, O=MSE, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ba:f2:2b:cd:87:90:23:f0:64:f5:83:d5:f2:90:
43:1a:16:36:c9:67:1a:82:f1:8f:6b:eb:1c:47:f1:
c4:fd:bf:55:98:ab:06:c0:90:dc:d7:13:1f:d3:2f:
12:e8:f2:74:66:65:7c:49:12:72:0c:27:9c:2e:84:
7e:29:a8:b6:18:62:5f:c2:97:a4:1c:e7:45:a2:cb:
f3:35:f3:64:15:e5:f0:27:6f:f1:07:61:41:9b:4c:
96:b3:56:d4:28:a4:85:90:86:52:4c:04:bc:da:38:
cc:f8:05:5b:3e:5c:03:b4:59:ec:8b:c9:5d:eb:61:
76:ba:20:3f:64:6c:25:5d:50:1e:85:37:ad:09:b2:
4a:fa:58:15:89:91:d9:5f:b8:9d:dd:64:31:8b:a4:
df:99:ff:ae:72:19:f8:a3:93:81:b9:4e:07:74:74:
95:b6:42:7b:5a:7d:38:92:4a:f4:86:5a:54:66:f0:
c1:fe:38:31:df:24:1c:40:94:36:67:8b:b3:56:93:
62:26:29:c2:cd:7f:7d:66:9d:f1:78:54:88:4f:6c:
b3:b7:80:54:05:03:09:c9:f9:14:65:8a:21:00:b5: