Follow

About this task

Customers can import their SSL certificates themselves. This ensures that the communication between their management tools and their InfiniBox is secure, and that the SSL private key is not shared with Infinidat support. There are three ways to install a certificate:

  • Creating a CSR and uploading the signed certificate
  • Uploading a signed certificate and a private key
  • Installing a self-signed certificate

An uploaded certificate replaces the current certificate. The uploaded certificate file is validated for:

  • Format - the certificate must be in PEM format.
  • Integrity - the certificate's digital signature must match the certificate file content. This validation assures that the certificate file was not tampered with anywhere down the trust chain.

InfiniBox does not validate the certificate trust chain.

Terminology

CertificateA file that allows a client to validate the identity of the server it is communicating with.
CACertificate Authority, a trusted corporate or 3rd party authority that the client and server use to verify the identity of the server to the client.
Self-Signed Certificatecertificate that is signed by the InfiniBox itself, and not trusted by a CA.
SSL CertificateThe type of certificate used to verify HTTPS servers.

Trusted Certificate

A certificate in a certificate trust chain where each certificate is signed by another certificate, leading to a parent CA that both the client and server trust.
Certificate Trust ChainThe set of certificates leading to the corporate or 3rd party CA that both the client and server trust.

Checking the validity of the current certificate

Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
The HTTPS Configuration screen opens.

The text color indicates the certificate validity:

  • Green text (Black text in some versions) - the certificate is valid for at least 30 days  
  • Orange text- the certificate is valid for less than 30 days

  • Red text - the certificate is no longer valid

Creating a CSR to generate and upload a signed certificate

Use the InfiniBox GUI to create a certificate signing request (CSR) and to upload the resulting certificate.

  1. Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
    The HTTPS Configuration screen opens.
  2. Click Create CSR.
  3. Edit the certificate request fields if necessary.

    Ensure that the CN matches the system FQDN.
  4. Click Generate.
    A CSR file is generated.

  5. Send the CSR file to your corporate certificate authority, or to a public certificate authority, and have them generate a signed certificate based on that file.
  6. When you have the signed certificate, click Upload Signed CSR, browse to the generated certificate, and click Upload.

Uploading a signed certificate and a private key

If the private key was not generated though an InfiniBox Create CSR request, upload the signed certificate together with its private key.

  1. To prepare a file for upload, concatenate:
    • PEM-encoded private key file of 2048 or 4096 bits. For example:

      -----BEGIN PRIVATE KEY----- 
      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkn8E97lOj2pvt 
      ... 
      lhR3fQ/lri/LVetY3VtcnOUL91l6Sp/AJgHTAfzigcWC0UZABqiXwxRWp6S9fRue 
      bGPa+xf11oTIIqEq2qrGlAtwrA== 
      -----END PRIVATE KEY-----


    • A PEM-encoded X509 signed certificate whose public key matches the private key in the first part of this concatenated file, and whose CN matches the system's FQDN. For example:

      -----BEGIN CERTIFICATE-----
      MIIDrzCCApegAwIBAgIJAMhgnI/1w772MA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
      ...
      /prJK/r5mA7Uvttga7vI2Sv4lZySonmWN5bkKCxbsxRWk1WusxJ0MyR2xEwXHo/E
      to5uReXFUBYNLab/tWU+EuQTSzKLJYerSSCc7eq6PDTbeek=
      -----END CERTIFICATE-----
    • In this example, the concatenated file would be:

      -----BEGIN PRIVATE KEY-----
      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkn8E97lOj2pvt
      ...
      lhR3fQ/lri/LVetY3VtcnOUL91l6Sp/AJgHTAfzigcWC0UZABqiXwxRWp6S9fRue
      bGPa+xf11oTIIqEq2qrGlAtwrA==
      -----END PRIVATE KEY-----
      -----BEGIN CERTIFICATE----- 
      MIIDrzCCApegAwIBAgIJAMhgnI/1w772MA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV 
      ... 
      /prJK/r5mA7Uvttga7vI2Sv4lZySonmWN5bkKCxbsxRWk1WusxJ0MyR2xEwXHo/E 
      to5uReXFUBYNLab/tWU+EuQTSzKLJYerSSCc7eq6PDTbeek= 
      -----END CERTIFICATE-----
  2. Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
    The HTTPS Configuration screen opens.
  3. Click Upload certificate.
  4. Browse to the concatenated file (created in step 1) that contains the private key and the signed certificate, and click Open
  5. Click Upload. The certificate file is uploaded and validated. 

Installing a self-signed certificate

You can create an internally-generated, self-signed certificate to replace the current certificate.

  1. Click the Settings icon on the navigation tree. On the General tab, click Modify HTTPS Certificate.
    The HTTPS Configuration screen opens.
  2. Click Remove certificate.
  3. Click Yes. A popup confirms that the previous certificate was replaced by a new one.

InfiniShell instructions 

  • config.system.ssl_certificate.create_csr -  creates a Certificate Sign Request (CSR) file. This file includes only the public key and is a more secure method of generating a certificate.
  • config.system.ssl_certificate.upload_signed_csr - sets the certificate using a signed CSR file.
  • config.system.ssl_certificate.upload - sets the SSL certificate and private key for the system by uploading a concatenated file consisting of:
    • PEM-encoded private key file of 2048 or 4096 bits
    • a PEM-encoded X509 signed certificate whose public key matches the private key in the first part of this concatenated file, and whose CN matches the system's FQDN
  • config.system.ssl_certificate.clear - clears the existing SSL certificate and replaces it with a self-signed certificate.
  • config.system.ssl_certificate.query - displays a list of the certificates that are currently in use. The screen color scheme indicates the certificate validity (see above).
  • config.system.set_ssl_redirection - enables/disables the redirection from HTTP (80) to HTTPS (443).



Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Last edited: 2022-08-06 08:12:13 UTC

Comments