sysconf regenCert

Generate or regenerate the Luna Network HSM 7 server certificate used for NTLS and save it to the appliance file system. Include the -csr option if you plan to have the resulting certificate signed by a Certificate Authority (CA).

This command stores the resulting private and public keys on the file system (hard disk) inside the Luna Network HSM 7 appliance.

User Privileges

Users with the following privileges can perform this command:

>Admin

Syntax

sysconf regenCert [<IPaddress>] [-keytype <keytype>] [-keysize <keysize>] [-curve <curve>] [-csr] [-startdate <startdate>] [-days <days>] [-country <country>] [-state <state>] [-location <location>] [-organization <organization>] [-orgunit <unit>] [-email <email_address>] [-san <SAN>] [-force]

Argument(s) Shortcut Description
<IPaddress>  

Specifies the IP address to set as the CN of the server's NTLS certificate. If not specified, the CN will be the hostname of the Luna Network HSM 7 appliance, as specified by the network hostname command. See network hostname for more information.

-country <country> -co

The country where the client computer resides. This option accepts the following characters:

/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

-csr -cs

Create a Certificate Signing Request (CSR), a private key and unsigned client certificate. The certificate must be signed by a third party before being used to authenticate the Luna Network HSM 7.

NOTE   This option requires Luna Appliance Software 7.7.0 or newer.

-curve -cu

Elliptic Curve name (ECC only):

Options: secp256k1,secp384r1,secp521r1,prime256v1

Default: secp384r1)

NOTE   This option requires Luna Appliance Software 7.8.4 or newer.

-days <days> -d

Specifies the number of days for which the new certificate will remain valid, starting on <startdate>.

Range: 1-3653

Default: 3653 (10 years)

-email <email_address> -e

An email address to contact the certificate creator. This option accepts the following characters:

@.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

-force -f Force the action without prompting.
-keysize -keys

RSA key size (RSA only): options are 2048,3072,4096 (default is 2048)

NOTE   This option requires Luna Appliance Software 7.8.4 or newer.

-keytype -keyt

Key type: options are rsa, ecc, or ed25519 (default is RSA)

NOTE   This option requires Luna Appliance Software 7.8.4 or newer.

-location <location> -l

The locality where the client computer resides. This option accepts the following characters:

/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

-organization <organization> -orga

The name of the organization that owns the client computer. This option accepts the following characters:

/-.:0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

-orgunit <unit> -orgu

The business unit or department that owns the client computer. This option accepts the following characters:

/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

-san <SAN> -sa

Subject Alternate Names (SAN) for this appliance. This field must be set if clients intend to use IP/hostname verification. Specify a list of comma-separated IPs and domains associated with the appliance. This option accepts the following characters:

:.,0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

Example: -san IP:1.2.3.4,DNS:abc.com,...

-startdate <startdate> -s Specifies the starting date upon which the certificate becomes valid, in the format YYYYMMDD. The default is 24 hours ago, to eliminate possible time zone mismatch issues if you need the certificate to be valid immediately anywhere in the world.
-state <state> -stat

The state where the client computer resides. This option accepts the following characters:

/0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz

Example (prior to appliance software 7.8.4)

lunash:>sysconf regenCert


WARNING !!  This command will overwrite the current server certificate and private key.
            All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'

> proceed
Proceeding...

'sysconf regenCert' successful. The NTLS, STC and CBS services must be (re)started before clients can connect.

Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname
for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.


Command Result : 0 (Success)

Example (7.8.4 and newer)

lunash:>sysconf regenCert -keytype rsa -keysize 3072


WARNING !!  This command will overwrite the current server certificate and private key.
            All clients will have to add this server again with this new certificate.
If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'

> proceed
Proceeding...

'sysconf regenCert' successful. The NTLS, STC and CBS services must be (re)started before clients can connect.
                                WARNING: for -csr option, please install the signed cert before restarting NTLS

Please use the 'ntls show' command to ensure that NTLS is bound to an appropriate network device or IP address/hostname
for the network device(s) NTLS should be active on. Use 'ntls bind' to change this binding if necessary.


Command Result : 0 (Success)