Ensure the Certificate and Key are Installed
A certificate, key, and certificate signing request (CSR) are generated at system start from properties of the svc:/system/identity:cert
service.
The generated certificate is self signed and might fail validation. Users can follow the instructions from their browser to add an exception to accept this certificate.
To configure your own SSL certificate chain, see How to Deliver a Custom Certificate and Key.
The following command shows that the identity:cert
service has a
certificate
property group, the certificate
property group has
ca
and cert
child property groups, and the
cert
property group has a private_key
child property
group.
$ svccfg -s identity:cert listprop certificate/* certificate/generate boolean false certificate/ca application certificate/ca/pem_value astring "pem_value" certificate/ca/uri astring /etc/certs/localhost/host-ca/hostca.crt certificate/cert application certificate/cert/hash astring sha256 certificate/cert/keylen integer 2048 certificate/cert/keytype astring rsa certificate/cert/lifetime astring 10-year certificate/cert/pem_value astring "pem_value" certificate/cert/subject astring certificate/cert/uri astring /etc/certs/localhost/host.crt certificate/cert/private_key application certificate/cert/private_key/pem_value astring "pem_value" certificate/cert/private_key/read_authorization astring solaris.smf.read.identity certificate/cert/private_key/uri astring /etc/certs/localhost/host.key
When the value of the certificate/generate
property is
true
, the properties in the certificate/cert
property group
are used to set the certificate and CSR metadata. The default value of
certificate/cert/subject
is
CN=fqdn
.
A host CA is generated (certificate/ca
), and the host certificate is signed
by that host CA, which ensures that the services can come online initially. A CSR also is generated,
which you can use to get a certificate signed by your own CA service and replace the generated
certificate. The /etc/certs/localhost/host-ca/hostca.crt
host CA certificate is
linked into /etc/certs/CA
so that it is trusted by at least local TLS clients.
The host and CA certificates get a randomly generated serial number.
The CA, certificate, and private key are stored in the pem_value
properties
and in the locations given by the uri
properties. Do not modify the
uri
properties.