HMC WIldcard Certificate Support

Hi Larry,

Please find below some more details on applying wildcard certificate for HMC. Hope this helps. Marking the RFE as delivered as the function is already available in HMC.

A) Generate certificate signing request (CSR) ensure you mention the wild card in the CN parameter. All the HMC where you want to apply the wildcard certificate should be in the same domain network. You can generate the CSR from one of your HMC machine UI, where in you mention the Common Name (CN) as "*domain name" while submitting the certificate signing request (CSR) form. Fill in the other parameters as usual.
B) Now pass the certificate signing request (CSR) to CA who is capable of generating the wild card certificate in x509 format.
Check if the CA can provide the JKS file (Java supported) with the password for the file. Else you can convert the certificate to jks using keytool command
keytool -importcert -alias alias_name -file path_to_certificate_file -keystore truststore_file -storepass {password}
e.g:- keytool -importcert -file /path/to/your/certificate.crt -alias hmcserver -keystore /path/to/your/truststore.jks -storepass repoPassword
C) Importing the certificate or JKS , once the certificate is approved/received.
from the machine where the CSR was generated, you can import X509 format supported certificate file as mentioned here.
1) https://www.ibm.com/support/pages/hmc-certificate-signing
2) https://www.ibm.com/support/pages/creating-and-signing-certificates-hmc-classic-and-enhanced-gui.
Now assuming you have got the JKS file from the CA or you have converted the certificate file to JKS & have the password handy, you can import this file to all other HMC in the same network which have same domain to apply wild card certificate.
Steps
a) browse to Users and Security > Systems and Console Security.
Click Manage Certificates
b) On the pop window Select Advance > Import Repository.
c) Import the jks file & enter the password for that repository file.
d) System will ask for reboot to successfully apply the wildcard server certificate.

OK I'm not a rocket scientist so maybe I'm missing something but the comment "you can create your own repository" is approximately equal to my wife telling me "you can simply sew your own suit coat, both my sewing machines and my serger are in my sewing room." Yep I know what is a repository approximately. But no matter how much I tried to do that with the google and the hooya and the youtube where everyone uses phrases like "use program x to import your certificate" as if I do that as frequently as I refill my coffee cup! Remember that a lot of these HMCs support IBM i which has "Digital Certificate Manager" not a command line set up.

So while I'm not against the import option it has no value if there is not a set of instructions on how to create this repository. Even better would be "How to use IBMs Digital Certificate Manager to create an HMC certificate repository" as I suspect the AIX folks know what is "program x."

Thank you.

Hi,
HMC has an option "Import Repository" (located at Manage Certificates > Advanced > Import Repository). You can create a wildcard certificate and then make a JKS or a PKCS12 (we only support these two in HMC) from that wildcard cert using your own private key. You will be able to upload that jks or pkcs12 repository to any HMC using "import repository" without requiring to create a CSR.

Please let us know if this addresses your requirement.

Thanks.