asc certs

Use this command to manage x509 and CA certificates.

Syntax

asc certs [options]

Option

Description

-a, --authority

Use this option when performing operations on a certificate authority (CA) certificate set.

-b or --bulkimport

Perform bulk import of certificates from hosts into the database.

The following options are available for this command:

  • -f or --bulkfile—Specifies the bulk input file for '--bulkimport' option.
  • --bulkchain—Walk the certificate chain when using '--bulkimport'.
  • -y or --yes—Do not prompt for response. Currently used when performing '--bulkimport'.
Note: This command imports vCenter and ESXi host certificates, not PCS certificates.

-c, --cert [file]

The fully qualified certificate target file path. The contents of this file are overwritten.

This option defines the certificate file location automatically.

--cabundle

By default, CloudControl contains a bundle of certificates, but they are not imported. Use this command if you want to import the certificate bundle.

The following options are available for this command: 

    enable—Imports the certificate bundle into your installation.

    refresh—Refreshes the existing certificate bundle.

    disable—Removes the certificate bundle from your installation.

-d, --delete <service>

Delete the specified CA certificate by service name.

Implies --authority.

--fipsmodeon

Enables FIPSMode

--fipsmodeoff

 Disables FIPSMode

-g, --genselfsigned [file]

Generate a self-signed certificate using a local key.

This option accepts a temporary fully qualified filename as an argument with certificate data as contents. See --c or --csr help text for file content syntax.

-h, --help

Display usage text.

-i, --import <file>

Validate and install a certificate issued by a CA. Requires a temporary qualified filename as an argument. The temporary file contains the certificate as issued by the certificate authority.

The -s option is also required.

-k, --key [file]

The fully qualified key target file path. The contents of this file are overwritten.

Specifying the -s option defines the key file location automatically.

-l, --list

Lists the certificates installed locally and descriptions of each.

List output is one certificate per line with each value separated by a double length underscore (__).

The format is as follows:

svc__t__cn__o__l__st__c__ou__exp__isd__s__
icn__io__iou__v

Where:

  • svc—Service name. Valid values are gui, sso_signing, or sso_encryption.

  • t—Type. Valid values are ss (self-signed) or ext (external).

  • cn—Common name

  • o—Organization

  • l—Locality

  • st—State/region

  • c—Country code

  • ou—Organizational unit

  • exp—Expiration date stamp or the duration in days for CSR/self-signed generation

  • isd—Issued date stamp

  • s—Serial number (real certs only)

  • v—TLS version

  • icn—Issuers common name

  • io—Issuers organization

  • iou—Issuers organizational unit

  • key—Key length in bits

  • dns—DNS Subject Alternative Name fields (comma separated)

  • ips—IP Subject Alternative Name fields (comma separated)

-q, --csr

Generate a certificate request using a local key. This option accepts a temporary qualified filename as an argument with certificate data as contents. One entry per line prefixed by a two character certificate datatype identifier.

Sample temporary file contents (field separator is '__'):

svc__t__cn__o__l__st__c__ou__exp__isd__s__v__icn__io__iou__key__dns__ips

Where:

  • svn—Service name. Valid values are:

    • guiCloudControl Management Console

    • sso_signingCloudControl

  • cn—Common name

  • o—Organization

  • l—Locality

  • st—State/region

  • c—Country code
  • ou—Organizational unit
  • exp—Expiration date stamp or the duration in days for CSR/self-signed generation

  • dns—DNS Subject Alternative Name fields (comma separated)

  • ips—IP Subject Alternative Name fields (comma separated)

-r, --random <length>

Generate a random string of the specified length.

--rotate

Perform password rotation for the secure keystore

Note: This will restart CloudControl.

--sandns

Returns a list of DNS entries of the CloudControl appliance and protected resources to be added as SAN entries to certificates and certificate requests.

--sanips

Returns a list of IP addresses of the CloudControl appliance and protected resources to be added as SAN entries to certificates and certificate requests.

-s, --service

The service to apply the certificate to. Valid values are:

  • guiCloudControl Management Console

  • logCloudControl Logging Service

-t, --csrtool

Runs the CSR tool which allows user to generate a CSR with SAN.

-v, --verbose

Enable verbose output.

-vv

Enable debug output.

Examples

Import all certificates from CloudControl-protected hosts: 

asc certs -b -y

List all certificates installed:

asc certs -l

List all certificate authority (CA) certificates:

asc certs -l -a

Validate and install a certificate for the CloudControl Management Console service:

asc certs -s gui --import /tmp/newCert.pem

Export the current key and certificate to files:

asc certs -k /foo/mykey.pem -c /foo/ssCert.pem

Delete the ca0025 service certificate authority certificate:

asc certs -a -d ca0025

Generate a 32 character random string:

asc certs -r 32

Imports the bundle of certificates: 

asc certs -cabundle enable

Import the SSO signing keys: 

asc certs -i /usr/local/asc/etc/ssosigncert.pem -s sso_signing

Enable FIPS mode: 

asc certs --fipsmodeon

Discover the DNS entries that can be added as SAN entries: 

asc certs --sandns

Discover the IP addresses that can be added as SAN entries:

asc certs --sanips

 

HyTrust CloudControl v 5.5

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: