Use the following procedure to prepare the client certificate. Encryption keys backed up on the KMS are managed with the client certificate. The client certificate on the KMS must remain current and not expired. If the client certificate expires or is not current, the storage system will not be able to access the KMS.
CAUTION:
- Encryption keys backed up to the KMS are managed in association with client certificates. If the client certificate is lost and the storage system controller is replaced, the keys that were backed up before the controller replacement cannot be restored.
- When the connection settings are backed up to the KMS, the storage system does not back up the client certificate. Make sure that you back up a copy of the connection settings to the KMS and save a copy of the client certificate separately. Refer to your corporate security policy for procedures related to backups.
- The encryption keys backed up on the KMS are managed with the client certificate. If the client certificate is changed, the encryption keys that were backed up before the change cannot be restored. Make sure to back up the encryption keys immediately after changing the client certificate.
Note:
- For information about obtaining the root certificate of the KMS, see the documentation for the KMS.
- When configuring the connection to the KMS, you must upload the KMS root certificate and the client certificate in PKCS #12 format to the storage system. For details, see Configure the encryption environment.
- OpenSSL must be installed in the C:\openssl folder.