Obtaining and importing a CA-signed certificate

Server and Cluster Administration Guide for Hitachi NAS Platform

Part Number

You may provide your own Certificate Authority (CA) signed certificates, instead of the default "self-signed" certificate.

Use these steps to obtain and import a CA-signed certificate into the server.

Supported encoding of the certificates are PEM or DER.

The trust chain certificates must be in X.509 format.

The signed certificate must be in X.509 format or a PKCS #7 bundle that includes the trust chain certificates.

  1. Create a new certificate. Customize the server's private key to set the required validity period and correct location information.
    $ tls-certificate-create-custom --confirm
  2. Generate a CSR (Certificate Signing Request) and send it to the chosen CA. If you already have a certificate with a private key, go to Step 3.
    $ tls-certificate-generate-csr
    Note: The CA will check the sender's identity. This may take some time.
  3. Depending on what you are provided, perform the appropriate steps:
    • If you are given a single X.509 signed certificate and multiple X.509 trust chains:
      1. Import each certificate of the trust chain provided.
        $ tls-certificate-import-trust-chain --confirm --path tc1.cer –alias tc1
        $ tls-certificate-import-trust-chain --confirm --path tcn.cer –-alias tcn
      2. Import the signed certificate.
        $ tls-certificate-import-signed --confirm --path signed.cer
    • If you are given a single PKCS #7 certificate bundle:
      Depending on the format of the trust chain and signed certificate, you may import them both at once.
      $ tls-certificate-import-signed --confirm --path signed_and_trust_chain
When the SSL configuration is changed, or a custom certificate is installed or removed, the HTTPS management server is automatically restarted to ensure that all current and future connections make use of the certificate, and the enabled versions and ciphers. An incorrect configuration can cause the the SMU to be unable to communicate with the HTTPS management server. Verify that the SMU can still communicate after the settings have been changed.