About this task
Customers can import their SSL certificates themselves. This ensures that the communication between their management tools and their InfiniBox is secure, and that the SSL private key is not shared with Infinidat support. There are three ways to install a certificate:
- Creating a CSR and uploading the signed certificate
- Uploading a signed certificate and a private key
- Installing a self-signed certificate
An uploaded certificate replaces the current certificate. The uploaded certificate file is validated for:
- Format - the certificate must be in PEM format.
- Integrity - the certificate's digital signature must match the certificate file content. This validation assures that the certificate file was not tampered with anywhere down the trust chain.
InfiniBox does not validate the certificate trust chain.
Terminology
Certificate | A file that allows a client to validate the identity of the server it is communicating with. |
CA | Certificate Authority, a trusted corporate or 3rd party authority that the client and server use to verify the identity of the server to the client. |
Self-Signed Certificate | A certificate that is signed by the InfiniBox itself, and not trusted by a CA. |
SSL Certificate | The type of certificate used to verify HTTPS servers. |
Trusted Certificate | A certificate in a certificate trust chain where each certificate is signed by another certificate, leading to a parent CA that both the client and server trust. |
Certificate Trust Chain | The set of certificates leading to the corporate or 3rd party CA that both the client and server trust. |
Checking the validity of the current certificate
Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
The HTTPS Configuration screen opens.
The text color indicates the certificate validity:
- Green text (Black text in some versions) - the certificate is valid for at least 30 days
Orange text- the certificate is valid for less than 30 days
Red text - the certificate is no longer valid
Creating a CSR to generate and upload a signed certificate
Use the InfiniBox GUI to create a certificate signing request (CSR) and to upload the resulting certificate.
- Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
The HTTPS Configuration screen opens. - Click Create CSR.
Edit the certificate request fields if necessary.
Ensure that the CN matches the system FQDN.Click Generate.
A CSR file is generated.- Send the CSR file to your corporate certificate authority, or to a public certificate authority, and have them generate a signed certificate based on that file.
- When you have the signed certificate, click Upload Signed CSR, browse to the generated certificate, and click Upload.
Uploading a signed certificate and a private key
If the private key was not generated though an InfiniBox Create CSR request, upload the signed certificate together with its private key.
- To prepare a file for upload, concatenate:
A PEM-encoded private key file of 2048 or 4096 bits. For example:
-----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkn8E97lOj2pvt ... lhR3fQ/lri/LVetY3VtcnOUL91l6Sp/AJgHTAfzigcWC0UZABqiXwxRWp6S9fRue bGPa+xf11oTIIqEq2qrGlAtwrA== -----END PRIVATE KEY-----
A PEM-encoded X509 signed certificate whose public key matches the private key in the first part of this concatenated file, and whose CN matches the system's FQDN. For example:
-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIJAMhgnI/1w772MA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV ... /prJK/r5mA7Uvttga7vI2Sv4lZySonmWN5bkKCxbsxRWk1WusxJ0MyR2xEwXHo/E to5uReXFUBYNLab/tWU+EuQTSzKLJYerSSCc7eq6PDTbeek= -----END CERTIFICATE-----
In this example, the concatenated file would be:
-----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkn8E97lOj2pvt ... lhR3fQ/lri/LVetY3VtcnOUL91l6Sp/AJgHTAfzigcWC0UZABqiXwxRWp6S9fRue bGPa+xf11oTIIqEq2qrGlAtwrA== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIJAMhgnI/1w772MA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV ... /prJK/r5mA7Uvttga7vI2Sv4lZySonmWN5bkKCxbsxRWk1WusxJ0MyR2xEwXHo/E to5uReXFUBYNLab/tWU+EuQTSzKLJYerSSCc7eq6PDTbeek= -----END CERTIFICATE-----
- Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
The HTTPS Configuration screen opens. - Click Upload certificate.
- Browse to the concatenated file (created in step 1) that contains the private key and the signed certificate, and click Open.
- Click Upload. The certificate file is uploaded and validated.
Installing a self-signed certificate
You can create an internally-generated, self-signed certificate to replace the current certificate.
- Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
The HTTPS Configuration screen opens. - Click Remove certificate.
- Click Yes. A popup confirms that the previous certificate was replaced by a new one.
InfiniShell instructions
config.system.ssl_certificate.create_csr
- creates a Certificate Sign Request (CSR) file. This file includes only the public key and is a more secure method of generating a certificate.config.system.ssl_certificate.upload_signed_csr
- sets the certificate using a signed CSR file.config.system.ssl_certificate.upload
- sets the SSL certificate and private key for the system by uploading a concatenated file consisting of:- a PEM-encoded private key file of 2048 or 4096 bits
- a PEM-encoded X509 signed certificate whose public key matches the private key in the first part of this concatenated file, and whose CN matches the system's FQDN
config.system.ssl_certificate.clear
- clears the existing SSL certificate and replaces it with a self-signed certificate.config.system.ssl_certificate.query
- displays a list of the certificates that are currently in use. The screen color scheme indicates the certificate validity (see above).config.system.set_ssl_redirection
- enables/disables the redirection from HTTP (80) to HTTPS (443).
Last edited: 2022-03-13 15:13:49 UTC
Comments