Uploading a signed certificate

System Administrator Guide for VSP 5000 Series

Version
90-09-2x
Audience
anonymous
Part Number
MK-98RD9009-16

To use SSL-encrypted communication, you must update and upload the private key and the signed server certificate (Public Key) to the SVP.

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the SVP.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier

    Enter the host name or the IP address of the SVP in subjectAltName or CommonName of the certificate to be uploaded.

  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • When you perform a certificate revocation check by using CRL, set the CRL repository URI for the cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check by using OCSP, set the OCSP responder URI for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check on the management client, the CRL repository or the OCSP responder must be on the network that can be accessed by the management client so that they can be accessed by the management client. If the management client cannot communicate with the CRL repository or the OCSP responder, the connection to Device Manager - Storage Navigator is established without certificate revocation check.
  • If an intermediate certificate exists, prepare a signed public key certificate file (server.crt) that has a certificate chain that includes the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or fewer including the root CA certificate.
  • When using a certificate with a key type of ECDSA and a key length of secp521r1, make sure to use Internet Explorer or Firefox as the web browser of the HDvM - SN management client.
    • In Internet Explorer, configure the group policy setting from the management client before this operation. For details, see Configuring the ECC curve order. The Tool Panel dialog box might not open if you do not configure the ECC curve order.
    • In Microsoft Edge or Google Chrome, the certificate with a key type of ECDSA and a key length of secp521r1 cannot be used as of January, 2022. If the key type is ECDSA, the key length must be less than secp521r1. For more information about the future availability, check the support status of the security settings for the web browser because whether it can be used in the future depends on the web browser specifications.
  1. Close all Device Manager - Storage Navigator sessions on the SVP.
  2. On the management client, open a web browser and enter the following URL to open the Tool Panel dialog box.
    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Update Certificate Files.
    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK. The Security Alert dialog box closes and the Login dialog box opens.
  4. In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.
  5. In the Upload dialog box, enter the public key certificate file name in the Certificate file box and the private Key file name (server.key file) in the Key file box. You can enter the file names directly or by clicking Browse or Select File. The name of the button to click depends on the browser.
  6. In the dialog box, confirm the messages about a possible TLS communication failure and recommendations, and then select the check box for I understood that I canceled HTTP blocking or TLS communication might fail.
  7. In the Upload dialog box, click Upload. A confirmation dialog box opens.
  8. Click OK to begin the certificate update. When the update is complete, the SVP web server restarts.
    Depending on the environment, the SVP web server can take 30 to 60 minutes to restart. When it takes that long, an internal server error occurs, and the update completion dialog box does not display. However, the certificate update is complete.

    It can take 30 to 60 minutes for the web server to restart. After the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message is displayed. However, the setting is actually completed.

  9. In the error message box, click OK. If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate. Confirm that the certificate is correct, and click Yes.
    Note: If an error occurs during the certificate update, an error message displays. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.