Ensure the Certificate and Key are Installed

A certificate, key, and certificate signing request (CSR) are generated at system start from properties of the svc:/system/identity:cert service.

The generated certificate is self signed and might fail validation. Users can follow the instructions from their browser to add an exception to accept this certificate.

To configure your own SSL certificate chain, see How to Deliver a Custom Certificate and Key.

The following command shows that the identity:cert service has a certificate property group, the certificate property group has ca and cert child property groups, and the cert property group has a private_key child property group.

$ svccfg -s identity:cert listprop certificate/*
certificate/generate                            boolean     false
certificate/ca                                  application
certificate/ca/pem_value                        astring     "pem_value"
certificate/ca/uri                              astring     /etc/certs/localhost/host-ca/hostca.crt
certificate/cert                                application
certificate/cert/hash                           astring     sha256
certificate/cert/keylen                         integer     2048
certificate/cert/keytype                        astring     rsa
certificate/cert/lifetime                       astring     10-year
certificate/cert/pem_value                      astring     "pem_value"
certificate/cert/subject                        astring
certificate/cert/uri                            astring     /etc/certs/localhost/host.crt
certificate/cert/private_key                    application
certificate/cert/private_key/pem_value          astring     "pem_value"
certificate/cert/private_key/read_authorization astring     solaris.smf.read.identity
certificate/cert/private_key/uri                astring     /etc/certs/localhost/host.key

When the value of the certificate/generate property is true, the properties in the certificate/cert property group are used to set the certificate and CSR metadata. The default value of certificate/cert/subject is CN=fqdn .

A host CA is generated (certificate/ca), and the host certificate is signed by that host CA, which ensures that the services can come online initially. A CSR also is generated, which you can use to get a certificate signed by your own CA service and replace the generated certificate. The /etc/certs/localhost/host-ca/hostca.crt host CA certificate is linked into /etc/certs/CA so that it is trusted by at least local TLS clients. The host and CA certificates get a randomly generated serial number.

The CA, certificate, and private key are stored in the pem_value properties and in the locations given by the uri properties. Do not modify the uri properties.