To use certificates in SSL communication with the SMI-S provider, you must update and upload the private key and the signed server certificate (public key) to the SMI-S provider to update the certificate. Use the following procedure to upload and update certificates using a certificate update tool.
Ensure that the following items have been completed:
- You must have the Storage Administrator (View & Modify) role to perform this task.
- A private key (.key file) has been created. Change the file name to server.key unless the file is already named that. See Creating a private key using the OpenSSL command.
- The passphrase for the private key (server.key file) is released.
- A signed public key certificate (.crt file) has been acquired. Change the file name to server.crt unless the file is already named that. See Creating a public key using the OpenSSL command.
- When using TLS1.2, you must set the cipher suites corresponding to the key type of the certificate that is uploaded to the SVP or the SMI-S provider.
Verify the settings of the cipher suites on the TLS Security Settings dialog box using the Tool Panel dialog box:
- If the key type is RSA, select a cipher suite whose name contains “RSA”.
- If the key type is ECDSA, select a cipher suite whose name contains “ECDSA”.
If the cipher suites corresponding to the key type of the certificate are not set, you cannot connect the storage system using the management software.
- You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.
- If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
- If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-512.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- subjectAltName
- CRLDistributionPoint
- AuthorityInfoAccess
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
Enter the host name or the IP address of the SVP in subjectAltName or CommonName of the certificate to be uploaded.
- When you perform a certificate revocation check by using CRL, set the CRL repository URI for the cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate.
- When you perform a certificate revocation check by using OCSP, set the OCSP responder URI for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate.
- When you perform a certificate revocation check on the management client, the CRL repository or the OCSP responder must be on the network that can be accessed by the management client so that they can be accessed by the management client. If the management client cannot communicate with the CRL repository or the OCSP responder, the connection to Device Manager - Storage Navigator is established without certificate revocation check.
- If an intermediate certificate exists, prepare a signed public key certificate file (server.crt) that has a certificate chain that includes the intermediate certificate.
- The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or less including the root CA certificate.