About Certificates
Certificates expire one year from the initial installation date and must be renewed before expiration. FMOS will send an expiration notification message 30 days prior to expiration.
The X.509 public key infrastructure (PKI) is used by a number of standard protocols for authentication and key exchange between participants in cryptographic communications. Specifically, FMOS supports X.509 PKI for TLS-based communication protocols like HTTPS, LDAP, and SMTP
FMOS includes a managed certificate authority. This certificate authority is used to issue certificates for secure authentication and communication between members of a multi-server ecosystem. The certificate authority manager is included with fmos-util, which exposes a command-line interface with the fmos ca command.
FMOS supports integration with existing system infrastructure for various functions, such as authentication and security.
A PKI issues certificates, enforces certificate policies, and manages the certificate life cycle. The fmos pki command can be used to view and update the X.509 PKI configuration on machines running FMOS.
Command-Line Interface
-
fmos ca init—Create CA hierarchy and private keys
-
fmos ca sign—Sign a Certificate Signing Request (CSR)
-
fmos ca backup—Backup CA database and keys
-
fmos ca restore—Restore a CA backup
You can add the -h flag to show the server and cpl certificates. For example:
$ fmos pki -h
| Action | Description |
|---|---|
| list-cas | Show trusted Certificate Authorities |
| import-ca | Import a trusted CA certificate |
| remove-ca | Remove a local CA from the trust store |
| show-server-cert | Display server certificate information |
| import-server-cert | Import a new server certificate |
| export-server-cert | Export the server certificate/private key to a file |
| show-cpl-cert |
Display control panel certificate information |
| import-cpl-cert | Import a new Server Control Panel certificate |
| gen-csr | Generate a Certificate Signing Request for this machine |
You can add the -h flag to see what a command supports. For example:
$ fmos ca -h
| Action | Description |
|---|---|
| init | Initialize Certificate Authority |
| backup | Back up the CA store |
| restore | Restore CA store from backup |
| sign | Sign a certificate request |
| export-ca-cert | Export the certificate for a CA |