sslcfg command

This command sets and displays the Secure Sockets Layer (SSL) status of the CMM.

Note:
  • When the CMM is set to "Secure" security mode, only secure file transfer methods, such as HTTPS and SFTP, can be used for tasks involving file transfer when the CMM is acting as a server. Unsecure file transfer protocols, such as HTTP, FTP, and TFTP, are disabled when the CMM is acting as a server when the security mode is set to "Secure". Unsecure file transfer protocols remain available for a CMM acting as a client for all commands when the security mode is set to "Secure".
  • For information about how to specify a URL for file transfer, see Specifying a URL for file transfer in the Lenovo Chassis Management Module 2 Command-Line Interface Reference Guide.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or sslcfg command errors for a list of error messages that are specific to the sslcfg command.

Table 1. sslcfg command.

The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.

Function What it does Command Target (see paths in Command targets)
Display CMM SSL status Displays the SSL status of the specified CMM. This status includes information about SSL certificates. sslcfg
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set SSL (secure LDAP) state for LDAP client Enables or disables SSL (secure LDAP) or starts transport layer security for the LDAP client.
Note:
  • By default, the LDAP client uses the same SSL certificate as the LDAP server.
  • The LDAP client can be enabled if a certificate is in place.
sslcfg -client state

where state is enabled , disabled , or starttls .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set SSL state for HTTPS server Enables or disables the HTTPS server.
Note: The HTTPS server can be enabled if a certificate is in place.
sslcfg -server state

where state is enabled or disabled .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View internally signed certificate Displays internally signed server certificate. sslcfg -view intsrv
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View self-signed certificate Displays a certificate authority self-signed root certificate for the CMM. sslcfg -view ca
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate self-signed certificate Generates a self-signed certificate for the chassis certificate authority.
Note:
  • If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes.
  • If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate.
  • If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.
sslcfg -gen ca -csa type

where the optional certificate type is:

  • rsa2048sha1
  • rsa2048sha256
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View externally signed server certificate Displays externally signed certificate information for the server. sslcfg -view extsrv
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) externally signed LDAP client certificate and CA bundle Import (upload) externally signed LDAP certificate and CA bundle for the LDAP client.

The upload locations of the externally signed certificate file and CA bundle are set separately using the -u and -cabu command options.

sslcfg -upld -t client -u URL -cabu CA_URL
where:
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • CA_URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate bundle is located.
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Delete externally signed LDAP client certificate and CA bundle Remove an externally signed LDAP certificate and CA bundle from the LDAP client. sslcfg -remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View CA bundle for externally signed server certificate Displays certificate authority bundle information for the externally signed certificate of the server. sslcfg -view extcab
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) externally signed server certificate and CA bundle Import (upload) externally signed certificate and CA bundle for the server.

The upload locations of the externally signed certificate file and CA bundle are set separately using the -u and -cabu command options.

sslcfg -upld -t server -u URL -cabu CA_URL
where:
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • CA_URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate bundle is located.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Reapply externally signed server certificate Reapply an externally signed server certificate to the LDAP server. Unsuccessful certificate application lists any compute nodes that are unable to use externally signed certificates: the CMM uses a self-signed certificate for the LDAP server in this case. sslcfg -reapply
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate self-signed certificate (for failed externally signed server certificate) Generates a self-signed certificate for use with an LDAP server that does not support externally signed server certificates.

The CMM LDAP server receives an SSL certificate internally signed by the CMM root certificate authority (CA) certificate. The IMM in each compute node then uses the root certificate in the LDAP client to trust the CMM LDAP server.

Note:
  • If a user executes this command, it will cause all certificates in the chassis to be re-signed. This means that any applications configured to trust certificates in the chassis will no longer trust those certificates. The user should export the new CA certificate and import it into the companion applications so that these applications can continue to manage the chassis. If users had imported the previous CA certificate into a web browser or any other application, they would want to replace it with the new certificate. Additionally, some security configuration artifacts that are signed by the CA certificate might be reprovisioned to the compute nodes.
  • If the crypto -m option is set to comp, for compatibility with all NIST cipher suites (see the crypto command for more information), the sslcfg -gen ca -csa certificate type option must be specified when generating a CA certificate.
  • If the crypto -m option is set to nist800-131a (see the crypto command for more information), the sslcfg -gen ca -csa option is optional; if it is specified, the certificate type must be set to rsa2048sha256.
sslcfg -gen ldapsrv -csa type

where the optional certificate type is:

  • rsa2048sha1
  • rsa2048sha256
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View externally signed LDAP client certificate Displays externally signed LDAP client certificate information. sslcfg -view extclnt  
Generate CSR Generates a certificate signing request (CSR) for the CMM HTTPS server or LDAP client.

The following values must be set when generating a CSR:

  • Country using the -c command option.
  • State or province using the -sp command option.
  • City or locality using the -cl command option.
  • Organization name using the -on command option.
  • CMM host name using the -hn command option.
    Note: This host name must match the host name that is used by a web browser to connect to the CMM.

The following optional values can be set when generating a CSR:

  • Contact person using the -cp command option.
  • Email address of the contact person using the -ea command option.
  • Unit within a company or organization using the -ou command option.
  • Additional information such as a surname using the -s command option.
  • Additional information such as a given name using the -gn command option.
  • Additional information such as a initials using the -in command option.
  • Additional information such as a distinguished name qualifier using the -dq command option.
  • Additional information such as a CSR password using the -cpwd command option.
  • Additional information such as an unstructured name qualifier using the -un command option.
sslcfg -gen csr -c country -sp "state"-cl "city"-on "org"-hn hostname -cp "name"-ea email-ou "org_unit"-s "surname" -gn "given_name"-in "initial"-dq "dn_qualifier"-cpwd password-un "un_name" -t target
where the following required options are:
  • country is two-character alphabetic code for the country.
  • "state" is a state or province name of up to 60 characters in length.
  • "city" is a city or locality name of up to 50 characters in length.
  • "org" is an organization name of up to 60 characters in length.
  • hostname is a valid host name of up to 60 characters in length.
  • target is server or client
where the following optional options are:
  • "name" is up to 60 characters in length.
  • email is a valid email address of up to 60 characters.
  • "org_unit" is up to 60 characters.
  • "surname" is up to 60 characters.

(continued on next page)

Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Generate CSR

(continued)

 
  • "given_name" is up to 60 characters.
  • "initial" is up to 20 characters.
  • "dn_qualifier" is up to 60 characters.
  • password is between 6 and 30 characters.
  • "un_name" is up to 60 characters.
Note: Arguments that must be quote-delimited are shown in quotation marks.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
Download CA self-signed root certificate file Downloads the specified CA self-signed root certificate file.

The location of the CA self-signed root certificate file, including IP address of the server for downloading and filename, and must be set using the -u command option.

Note: To successfully download and import a CA certificate into an external LDAP server trust store, make sure that secure LDAP is enabled using the sslcfg -server enabled or the sslcfg -client enabled command.
sslcfg -dnld ca -u URL

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Download certificate or CSR file of specified format Downloads the specified certificate file, specifying the certificate file format.

The location of the certificate or CSR file, including IP address of the server for downloading and filename, and must be set using the -u command option.

Note: If the certificate or CSR file format is not specified using the -f command option, the format defaults to DER.
sslcfg -dnld cert_type-f format-u URL -t target
where:
  • cert_type is
    • cert for a certificate
    • csr for a CSR (for the CMM LDAP client certificate)
  • format is
    • der for binary DER encoded certificates
    • pem for X.509v3 files that contain ASCII (Base64) armored data prefixed with a BEGIN line
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • target is server or client
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View trusted certificate 1 Displays trusted certificate 1 information for the LDAP client. sslcfg -tc1 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View trusted certificate 2 Displays trusted certificate 2 information for the LDAP client. sslcfg -tc2 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View trusted certificate 3 Displays trusted certificate 3 information for the LDAP client. sslcfg -tc3 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 1 Import (upload) trusted certificate 1 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -tc1 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 2 Import (upload) trusted certificate 2 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -tc2 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) trusted certificate 3 Import (upload) trusted certificate 3 for the LDAP client.

The upload location of the trusted certificate file, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -tc3 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 1 Downloads (exports) trusted certificate 1 for the LDAP client.

The location of the trusted certificate 1 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

sslcfg -tc1 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 2 Downloads (exports) trusted certificate 2 for the LDAP client.

The location of the trusted certificate 2 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

sslcfg -tc2 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Export (download) trusted certificate 3 Downloads (exports) trusted certificate 3 for the LDAP client.

The location of the trusted certificate 3 file, including IP address of the server for downloading and filename, and must be set using the -u command option.

sslcfg -tc3 download -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 1 Removes trusted certificate 1 from the LDAP client. sslcfg -tc1 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 2 Removes trusted certificate 2 from the LDAP client. sslcfg -tc2 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove trusted certificate 3 Removes trusted certificate 3 from the LDAP client. sslcfg -tc3 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) certificate Import (upload) certificate for the CMM HTTPS server or LDAP client.

The upload location of the certificate file, including IP address and filename, an must be set using the -u command option.

sslcfg -upld -u URL -t target
where:
  • URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the certificate file is located.
  • target is server or client
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View CRL 1 Displays certificate revocation list 1 for the LDAP client. sslcfg -crl1 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View CRL 2 Displays certificate revocation list 2 for the LDAP client. sslcfg -crl2 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
View CRL 3 Displays certificate revocation list 3 for the LDAP client. sslcfg -crl3 view
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set CRL checking state for LDAP client Enables or disables certificate revocation list checking for the LDAP client. sslcfg -crl state

where state is enabled or disabled .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) CRL 1 Import (upload) certificate revocation list 1 for the LDAP client.

The upload location of the CRL, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -crl1 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) CRL 2 Import (upload) certificate revocation list 2 for the LDAP client.

The upload location of the CRL, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -crl2 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Import (upload) CRL 3 Import (upload) certificate revocation list 3 for the LDAP client.

The upload location of the CRL, including IP address of the server and filename, an must be set using the -u command option.

sslcfg -crl3 import -u URL -t client

where URL is fully qualified uniform resource locator, including file name, of the tftp, ftp, http, https, or sftp server where the CRL is located.

Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove CRL 1 Removes certificate revocation list 1 from the LDAP client. sslcfg -crl1 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove CRL 2 Removes certificate revocation list 2 from the LDAP client. sslcfg -crl2 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Remove CRL 3 Removes certificate revocation list 3 from the LDAP client. sslcfg -crl3 remove -t client
Note: The -t client option is optional. If it is not specified, the command defaults to the client target.
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Example: To view SSL information for the primary CMM in bay 1, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type
sslcfg
To generate a new key and CSR for the server in the primary CMM in bay 1, with a country of US, a state of NC, a city of Cary, an organization of Lenovo, and a host name of hostname, while this CMM is set as the persistent command environment, at the system:mm[1]> prompt, type
sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server

The following example shows the information that is returned from these commands:

system:mm[1]> sslcfg
-server enabled
-client disabled
Certificate Authority certificate status:
A Root certificate is installed (rsa2048sha1)
SSL Server Certificate status:
A self-signed certificate is installed
SSL Client Certificate status:
No certificate has been generated
SSL Client Trusted Certificate status:
Trusted Certificate 1: Not available
Trusted Certificate 2: Not available
Trusted Certificate 3: Not available
SSL Client CRL status:
CRL 1: Not available
CRL 2: Not available
CRL 3: Not available
-crl disabled
system:mm[1]>
system:mm[1]> sslcfg -gen csr -c us -sp "nc"  -cl "cary"  -on "lenovo" -hn hostname -t server
Certificate Signing Request (CSR) is ready for downloading.
To get the CSR, use the download CSR command. You can then send
it to a CA for signing.
OK
system:mm[1]>