Prepare the client certificate

Encryption License Key User Guide for VSP One Block

Version
10.2.x
Audience
anonymous
Part Number
MK-23VSP1B010-00

Use the following procedure to prepare the client certificate. Encryption keys backed up on the KMS are managed with the client certificate. The client certificate on the KMS must remain current and not expired. If the client certificate expires or is not current, the storage system will not be able to access the KMS.

CAUTION:
  • Encryption keys backed up to the KMS are managed in association with client certificates. If the client certificate is lost and the storage system controller is replaced, the keys that were backed up before the controller replacement cannot be restored.
  • When the connection settings are backed up to the KMS, the storage system does not back up the client certificate. Make sure that you back up a copy of the connection settings to the KMS and save a copy of the client certificate separately. Refer to your corporate security policy for procedures related to backups.
  • The encryption keys backed up on the KMS are managed with the client certificate. If the client certificate is changed, the encryption keys that were backed up before the change cannot be restored. Make sure to back up the encryption keys immediately after changing the client certificate.
Note:
  • For information about obtaining the root certificate of the KMS, see the documentation for the KMS.
  • When configuring the connection to the KMS, you must upload the KMS root certificate and the client certificate in PKCS #12 format to the storage system. For details, see Configure the encryption environment.
  • OpenSSL must be installed in the C:\openssl folder.
  1. Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.
  2. Create a private key (.key) file.

    For details about creating a private key, see the System Administrator Guide.

  3. Create a public key (.csr) file.

    For details about creating a public key, see the System Administrator Guide.

  4. Have the public key file signed by the Certificate Authority (CA) office of the KMS.
    For details, see the documentation for the KMS.
  5. In the Windows command prompt, change the current folder to the folder where you want to save the client certificate in the PKCS#12 format.
  6. Move the private key file (.key) and the client certificate to this folder, and then run the following command
    C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

    In this command example:

    • Folder to output the client certificate file in PKCS #12 format: c:\key
    • Private key file name: client.key
    • Client certificate file name: client.crt
  7. Type the client certificate password. This password is used when uploading a client certificate in PKCS #12 format to the storage system.
    The password can be from 0 to 128 characters in length. The valid characters for the password are:
    • Numbers (0 to 9)
    • Upper case letters (A-Z)
    • Lower case letters (a-z)
    • The following half-width symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

    In this command example, the client.p12 file is created in the c:\key folder. This client.p12 file is a client certificate converted to PKCS#12 format.