Generates a private key and CSR or self-signed certificate.
NOTE This command is available using Luna Appliance Software 7.8.5 or newer.
CAUTION! The syslog remotehost cert gen command and the audit remotehost cert gen command affect the same certificate, in the same file system location within the Luna Network HSM 7appliance. If either the admin user or the audit user makes a change to an existing certificate, it affects both:
>the encrypted remote logging of appliance events and
>the encrypted remote logging of cryptographic module events.
Before using the ...cert gen command, in either context (admin and syslog remotehost, or audit and audit remotehost) use the respective ...cert status command to see whether a shared certificate is already configured.
User Privileges
Only specialized Audit users can access audit commands.
Syntax
audit remotehost cert gen [<ipaddress>] [-startdate <startdate>] [-days <days>] [-country <iso_country_code>] [-state <name_of_state_province_region>] [-location <city_name>] [-organization <organization_legal_name>] [-orgunit <division_within_org>] [-email <contact_email_address>] [-san <SAN>] [-keysize <size>] [-keytype <key_type>] [-curve <curve_name>] [-csr] [-force]
| Argument(s) | Shortcut | Description |
|---|---|---|
| . | . <ipaddress> | Generates a CSR, or the self-signed client certificate client_syslog.pem in the file-space of the user that generated the cert Default: 1.2.3.4 |
| -startdate <startdate> | -star |
Certificate start date(not available with -csr) (0-99991231). |
| -days <days> | -d | Certificate validity days (1-3653) |
| -country <country code> | -co | The country in which your organization is located, entered as a two-letter ISO code. |
| -state <State/Region/Province (full name)> | -stat | The state or region in which your organization is located.(Example Québec) |
| -location <city name> | -l | The city in which your organization is located. |
| -organization | -orga | The full legal name of your organization, including suffixes such as LLC, Corp, etc. |
| -orgunit | -orgu | The division in your organization that deals with this certificate. |
| -e | Email address used to contact the owner. | |
| -san <subject alternative name> | -sa | In addition to the FQDN if you intend to support other subdomains |
| -keysize <size> | -keys | RSA key size: Default: 2048 (choose among 2048,3072,4096) |
| -keytype <keytype> | -keyt |
Key type (ecc,rsa) |
| -curve <curve_name> | -cu | Elliptic Curve name Supported values: secp256k1, secp384r1, secp521r1, prime256v1 Default: secp384r1 |
| -csr | -cs | Generate CSR - client certificate request file client_syslog_csr.csr in the file-space of the user that generated the cert request |
| -force | -f |
Deletes the installed certificate without warning the user if it already exists. |
An error is shown if CSR generation fails, or if certificate generation fails.
Disallowed option combinations
Do not included the -curve option if the -keytype is "rsa".
Do not included the -keysize option if the -keytype is "ecc".
Example
lunash:>audit remotehost cert gen 192.168.79.157 -csr -startdate 20230410 -days 10 -country CA -state ON -organization Thales -orgunit dis -location OT -email example@thales.com Command Result : 0 (Success)
