Create a certificate request for the Management Server, export and sign the certificate request using the external CA, then import the signed certificate for the Management
Server.
Steps
-
Log in to the command line or to the restricted shell on SMC.
-
Create a certificate request for the Management Server.
Enter the
sgCertifyMgtSrv command when using the restricted
shell:
sg sgCertifyMgtSrv.sh mode=ext-pki-init dn=<Subject DN> dns=<SubjectAltName DNS> \
key-size=<Key Size (Accepted values): 256, 384, 521> \
csr-out=<output path to Certificate Request>
Not on restricted shell, or non-appliance
installation:
sudo <installation directory>/bin/sgCertifyMgtSrv.sh mode=ext-pki-init dn=<Subject DN> \
dns=<SubjectAltName DNS> key-size=<Key Size (Accepted values): 256, 384, 521> \
csr-out=<output path to Certificate Request>
Note: The
value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
-
Copy the certificate request file to a remote system using SCP.
-
Sign the certificate request using the external CA.
-
Copy the signed certificate to the SMC machine. For example, using SCP.
-
Import the signed certificate for the Management Server.
Enter the
sgCertifyMgtSrv command when using the restricted
shell:
sg sgCertifyMgtSrv mode=ext-pki-import \
crt-in=<path to signed certificate in PEM format>\
ca-file=<path to CA file in PEM format>
Not on restricted shell, or non-appliance
installation:
sudo <installation directory>/bin/sgCertifyMgtSrv.sh mode=ext-pki-import \
crt-in=<path to signed certificate in PEM format> \
ca-file=<path to CA file in PEM format>
-
Start the Management Server.
On restricted shell:
daemon_ctl restart sgMgtServer
Not on restricted shell:
sudo daemon_ctl restart sgMgtServer
On other platforms:
sudo <installation directory>/bin/sgStartMgtSrv.sh
Next steps
Create a certificate for the Log Server.