How to Deliver a Custom Certificate and Key

Use this procedure to replace the generated self-signed certificate configuration with your own properly signed certificate from a certificate authority (CA).

The certificate and key are single PEM-encoded X.509 strings. The specified certificate and key are installed during system installation or sysconfig when the value of the certificate/generate property is false.

Follow this procedure carefully, noting the following cautions:

• Modifying any of the uri property values will cause the system to fail.

• Setting only the certificate pem_value or only the key pem_value, but not both, will cause the system to fail.

• Setting both the certificate pem_value and the key pem_value when the value of the certificate/generate property is true will cause the system to fail.

1. Verify that the value of the certificate/generate property is false.

   $ svcprop -p certificate/generate identity:cert
   true

   If necessary, set the value to false:

   $ svccfg -s identity:cert
   svc:/system/identity:cert> setprop certificate/generate=false
   certificate/generate boolean     false

2. Set the certificate PEM string.

   svc:/system/identity:cert> setprop certificate/cert/pem_value = astring: \
   "$(cat /path/to/signed/certificate.crt )"

3. Set the key PEM string.

   svc:/system/identity:cert> setprop certificate/cert/private_key/pem_value = astring: \
   "$(cat /path/to/signed/certificate.key )"

4. Set the CA PEM string.

   svc:/system/identity:cert> setprop certificate/ca/pem_value = astring: \
   "$(cat /path/to/issuer/certificate.crt )"

5. Refresh the service.

   svc:/system/identity:cert> refresh
   svc:/system/identity:cert> exit

6. Restart the service.

   $ svcadm restart -sr svc:/system/identity:cert

   Because of SMF dependencies, restarting the svc:/system/identity:cert service causes the svc:/system/webui/server service to be restarted also.