Create a certificate for the Management Server using external certificate management

Create a certificate request for the Management Server, export and sign the certificate request using the external CA, then import the signed certificate for the Management Server.

Steps

  1. Log in to the command line or to the restricted shell on SMC Appliance.
  2. Create a certificate request for the Management Server.
    Enter the sgCertifyMgtSrv command when using the restricted shell:
    sg sgCertifyMgtSrv.sh mode=ext-pki-init dn=<Subject DN> dns=<SubjectAltName DNS> \
     key-size=<Key Size (Accepted values): 256, 384, 521> \
     csr-out=<output path to Certificate Request>
     
    Not on restricted shell:
    sudo <installation directory>/bin/sgCertifyMgtSrv.sh mode=ext-pki-init dn=<Subject DN> \
    dns=<SubjectAltName DNS> key-size=<Key Size (Accepted values): 256, 384, 521> \
    csr-out=<output path to Certificate Request>
    Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
  3. Copy the certificate request file to a remote system using SCP.
  4. Sign the certificate request using the external CA.
  5. Copy the signed certificate to the SMC Appliance using SCP.
  6. Import the signed certificate for the Management Server.
    Enter the sgCertifyMgtSrv command when using the restricted shell:
    sg sgCertifyMgtSrv mode=ext-pki-import \
     crt-in=<path to signed certificate in PEM format>\
     ca-file=<path to CA file in PEM format>
    Not on restricted shell:
    sudo <installation directory>/bin/sgCertifyMgtSrv.sh mode=ext-pki-import \
    crt-in=<path to signed certificate in PEM format> \
    ca-file=<path to CA file in PEM format>
    
  7. Start the Management Server.
    On restricted shell:
    daemon_ctl restart sgMgtServer
    Not on restricted shell:
    sudo daemon_ctl restart sgMgtServer
    On other platforms:
    sudo <installation directory>/bin/sgStartMgtSrv.sh

Next steps

Create a certificate for the Log Server.