Caution on updating server certificates

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.15.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-02

Note the following points when you update your server certificate.

In this section, "Subject Alternative Name" is abbreviated to "SAN".

  • Immediately after VSP One SDS Block is installed, a self-signed certificate is imported. When you update your server certificate for the first time, secure connection is not guaranteed.

    Also note that if you use a self-signed certificate, a warning appears when you try to establish an SSL/TLS session. Take action according to Action to be taken when a warning message about a server certificate appears.

  • While a server certificate is being updated, the configuration of the storage system cannot be changed using the REST APIs or CLI. (Configuration change refers to management jobs including creation, update, and deletion. For example, creation of a volume is a configuration change.)

  • While storage system configuration is being changed, the server certificate cannot be updated. Before you update the server certificate, make sure that management jobs are not being performed.

  • Server certificates are updated asynchronously.

  • Update of a server certificate has considerable impact on the system and should be approached with caution. Update might cause a failure in the storage system. To avoid any problem, thoroughly verify the content of server certificates and private keys.

  • Be careful when you change the control network by changing or specifying the configuration settings if an IP address is set for the SAN in a server certificate. In this case, server certificate management becomes complex because you need to update the server certificate several times.

    When you create a server certificate, we recommend that you specify a FQDN for the SAN as shown below. For details, see Creating a certificate signing request.

    (Virtual machine)(Bare metal)

    • Recommendation 1:

      Use a wildcard (*) to specify the subdomain for the FQDN that corresponds to the representative IP address of the cluster and the FQDN that corresponds to the IP address of each storage node control port.

      (Example: *.example.com)

    • Recommendation 2:

      • Specify the FQDN that corresponds to the representative IP address of the cluster.

        (Example: storage.example.com)

      • Specify the FQDN that corresponds to the IP address of each storage node control port.

        (Example: storage-node1.example.com, storage-node2.example.com, ...)

    (Cloud)

    • Recommendation 1:

      Use a wildcard (*) to specify the subdomain for the FQDN for the load balancer (ELB) and the FQDN that corresponds to the IP address of each storage node control port.

      (Example: *.example.com)

    • Recommendation 2:

      Specify the FQDN for the load balancer (ELB).

      (Example: storage.example.com)

      Specify the FQDN that corresponds to the IP address of each storage node control port (for the number of nodes).

      (Example: storage-node1.example.com,storage-node2.example.com, ...)