Using ToolsCenter Suite CLI for certificate management

ToolsCenter Suite CLI manages Certificate Authority (CA) and Certificate Sign Request (CSR) files on IMM-based systems using the generate, import, export, and deletecert commands.

Before you can manage a certificate on IMM, to ensure that the corresponding certificate server is disabled, complete these steps:

Verify that the IMM HTTPS Server Configuration for web server is disabled using this command line entry:
```
Onecli.exe config show IMM.SSL_Server_Enable
```
Output generated:
```
IMM.SSL_Server_Enable=Disabled
```
If the server is enabled, disable IMM HTTPS Server Configuration for Web Server using this command line entry:
```
Onecli.exe config set IMM.SSL_Server_Enable Disabled
```
Output generated:
```
Onecli.exe IMM.SSL_Server_Enable=Disabled
```
The IMM must be restarted before the selected value (enable / disable) takes effect. Use the command: onecli misc rebootimm.
Before using SSL Client Certificate Management, disable SSL Client Configuration for the LDAP Client first:
1. Verify that the SSL Client Configuration for LDAP Client is disabled using this command line entry:
```
Onecli.exe config show IMM.SSL_Client_Enable
```
  Output generated:
```
IMM.IMM.SSL_Client_Enable=Disabled
```
2. If the server is enabled, disable the IMM SSL Client Configuration for LDAP using this command line entry:
```
Onecli.exe config set IMM.SSL_Client_Enable Disabled
```
  Output generated:
```
IMM.SSL_Client_Enable=Disabled
```

After completing the steps noted above, you can use ToolsCenter Suite CLI to manage certificates on IMM.

The following procedure provides an overview of how to use the ToolsCenter Suite CLI config application and commands to:

View the current status of certificate setting
View the available commands for a setting
Generate a Certificate Sign Request (CSR)
Export a certificate sign request
Generate a self-signed certificate
Import a Certificate
Delete a certificate

To view the current status of a certificate setting, use this command line entry:
Onecli.exe config show IMM.SSL_HTTPS_SERVER_CERT
Output generated:
```
IMM.SSL_HTTPS_SERVER_CERT=Private Key and CA-signed cert 
installed, Private Key stored, CSR available for download.
```
To view the available commands for a certificate setting, use this command line entry:
Onecli.exe config showvalues IMM.SSL_HTTPS_SERVER_CSR
Output generated:
```
IIMM.SSL_HTTPS_SERVER_CSR=*generate=export
```
IIMM.SSL_HTTPS_SERVER_CSR is supported by the generate and export commands.
To generate a Certificate Sign Request (CSR), use this command line entry:
Onecli.exe config generate IMM.SSL_HTTPS_SERVER_CSR template.xml
Output generated:
```
Certificate was generated successfully!
```
An xml file, such as template.xml, is required for the generate command and for all settings which support generate, except SSH_SERVER_KEY. For more information about the template.xml, see The template.xml file.

A certificate sign request must be signed by an independent certificate authority to be a certificate. You can use the config application to generate a Self-signed Certificate.
To generate a self-signed certificate, use this command line entry:
Onecli config generate IMM.SSL_HTTPS_SERVER_CERT asu.xml
Output generated:
```
Certificate was generated successfully!
```
To export a certificate sign request, use this command line entry:
Onecli config export IMM.SSL_HTTPS_SERVER_CSR tmp_csr.der
Output generated:
```
Certificate was exported successfully!
```
The tmp_csr.der file is saved in the current directory.

You can export a certificate or certificate sign request. If a certificate sign request is signed by a independent certificate authority, it is a CA-singed certificate.
To import a certificate, after completing the export a certificate sign request step, using independent certificate authority, sign the request in the tmp_csr.der file.
You can only import the CA-signed certificate (which differs from the self-signed certificate) into the HTTPS Server Certificate Management section.
For the SSL Client Certificate Management section, use the first two settings which only permit CA-signed certificates to be imported:
- SSL_LDAP_CLIENT_CERT
- SSL_LDAP_CLIENT_CSR
These settings permit both self-signed and CA-signed certificates to be imported:
- SSL_CLIENT_TRUSTED_CERT1
- SSL_CLIENT_TRUSTED_CERT2
- SSL_CLIENT_TRUSTED_CERT3
If a certificate already exists, it must be deleted before importing another certificate.

For more detailed information about how to use the config applications and commands for certificate mangement, refer to the individual command topics in this section.