Sample commands for using ASU to manage certificates

This topic provides sample commands for using ASU to manage certificates and responses received.

Getting the current status of the certificate setting

To view the status of a particular certificate, use the asu show command.

At the command line, enter the following command: 
asu show IMM.SSL_HTTPS_SERVER_CERT
The output is: 
IMM.SSL_HTTPS_SERVER_CERT=Private Key and CA-signed cert installed, Private Key stored, CSR available for download.

Getting the available command for the setting

Get supported commands for the related certificate setting by either running the asu showvalues command or by consulting the table of supported commands in Features on Demand (FoD) configuration.

At the command line, enter:
asu showvalues IMM.SSL_HTTPS_SERVER_CSR
The output is:
IMM.SSL_HTTPS_SERVER_CSR=*generate=export

You can tell from the output that the generate and export commands are supported for the setting IMM.SSL_HTTPS_SERVER_CSR.

Generating a Certificate Sign Request (CSR)

Use the following command to generate a CSR.

At the command line, enter:
asu generate IMM.SSL_HTTPS_SERVER_CSR asu.xml
The output is:
Certificate was generated successfully!

An .xml file, like asu.xml in this command, is required in the generate command for all settings that support "generate," except SSH_SERVER_KEY. For instructions about creating this .xml file, refer to the generate command section.

A certificate sign request must be signed by an independent certificate authority to be a certificate.

Generating a self-signed certificate

You can also use the ASU to generate a self-signed certificate, which is one that is already signed.
At the command line, enter:
asu generate IMM.SSL_HTTPS_SERVER_CERT asu.xml
The output is:
Certificate was generated successfully!

Exporting a certificate sign request

At the command line, enter:
asu export IMM.SSL_HTTPS_SERVER_CSR asu_csr.der
The output is:
Certificate was exported successfully!

The asu_csr.der file is saved in the current directory.

You can export a certificate or a certificate sign request. If a certificate sign request is signed by an independent certificate authority (CA), it is a CA-signed certificate.

Importing a certificate

After you export a certificate, you can get the certificate sign request file asu_csr.der. You must sign it by using an independent certificate authority. You can only import the CA-signed certificate, which is different than a self_signed one, into HTTPS Server Certificate Management and Lenovo Systems Director over HTTPS Certificate Management.

The following two settings for SSL Client Certificate Management permit only CA-signed certificates to be imported:
  • SSL_LDAP_CLIENT_CERT
  • SSL_LDAP_CLIENT_CSR
The following three settings allow both self-signed and CA-signed certificates to be imported:
  • SSL_CLIENT_TRUSTED_CERT1
  • SSL_CLIENT_TRUSTED_CERT2
  • SSL_CLIENT_TRUSTED_CERT3

For settings SSL_CLIENT_TRUSTED_CERT1, SSL_CLIENT_TRUSTED_CERT2, and SSL_CLIENT_TRUSTED_CERT3, if the certificate already exists, you must delete it before importing the certificate.

On a command line, enter:
asu import IMM.SSL_HTTPS_SERVER_CERT asu_cert.der
The output is:
Certificate was imported successfully!
Note: asu_cert.der is a CA-signed certificate after asu_csr.der is signed using your own certificate authority.

Deleting a certificate

In SSL Client Certificate Management, only three settings support the deletecert command:
  • SSL_CLIENT_TRUSTED_CERT1
  • SSL_CLIENT_TRUSTED_CERT2
  • SSL_CLIENT_TRUSTED_CERT3
On a command line, enter:
asu deletecert IMM.SSL_CLIENT_TRUSTED_CERT1
The output is:
Certificate was deleted successfully!