Use an OpenSSL command to create a certificate signing request.
You can use the same OpenSSL command for both Windows and Linux. Use a console where you can run commands. In Windows, open a command prompt and run the command. In Linux, open a terminal and run the command.
In this section, "Subject Alternative Name" is abbreviated to "SAN".
-
Copy the OpenSSL settings file to the working folder.
Note:
The location of the settings file differs depending on the environment.
Linux: In many cases, the file is stored in /etc/pki/tls/openssl.cnf.
Windows: The location of the file differs depending on the settings specified when OpenSSL is installed.
-
Open the file created in step 1 and add or modify the information according to
the following.
Section name
Parameter name
Value
Description
req
req_extensions
v3_req
This parameter adds the v3_req section to the certificate signing request settings.
v3_req
subjectAltName
@alt_names
The system reads the "alt_names" section as the value of the SAN.
alt_names
DNS.<number>
<FQDN-corresponding-to-the-IP address-of-a-storage-node-control-port-and-the-representative-IP address-of-the-storage-cluster>
The system issues a certificate to the FQDN that corresponds to the IP address of a storage node control port and the representative IP address of the storage cluster.
For <number> in the parameter name, specify a unique value beginning with 1 in ascending order.
If the "alt_names" section does not exist, create it in the settings file.
(Example of setting): Items other than the above are omitted.
[ req ] req_extensions = v3_req [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = storage.example.com DNS.2 = storage-node2.example.com DNS.3 = storage-node2.example.com
To ensure safe SSL/TLS communications with all storage nodes, we recommend that you use a certificate in which both of the following two items are specified for the SAN, or the subdomain of the following two FQDNs is specified by using a wildcard (*) for the SAN rather than the common name (CN). (Example: *.example.com)
-
FQDN corresponding to the representative IP address (when using the representative IP address)
-
FQDN corresponding to the IP address of a storage node control port
From version 58 onward, Google Chrome does not support the CN. Therefore, we recommend that you specify the FQDN for the SAN if you use the VSP One SDS Block Administrator.
For the SAN, we recommend that you register an FQDN because, when you change the IP address of a control port, you only have to change the relevant record in the DNS. If you use the FQDN, you also need to set up a DNS server.
If you use a wildcard character for the subdomain in each FQDN specified in a server certificate, you do not need to re-create the server certificate when adding or removing storage nodes.
-
-
Run the following command.
openssl req -sha256 -new -key server.key -out server.csr -config <file-created-in-step-2>
Option
Description
req
Requests creation of a certificate signing request (csr).
-sha256
Signature hash algorithm.
Use an algorithm that is equivalent to SHA-2.
-key <private-key-file-name>
Specifies the name of the private key for creating a certificate signing request.
-out <public-key-file-name>
The command outputs a certificate signing request file with the specified name. You can assign any name to the certificate signing request file. Usually, use ".csr" as the extension.
-config <file-created-in-step-2>
Specifies the name of the settings file that was created in step 2. The information to be registered as the SAN in the certificate is specified in this file.
CAUTION:Use SHA-256 as the hash algorithm. Do not use MD5 or SHA-1 because they might create security problems.
-
Enter the information, which will be written on the server certificate.
-
Country Name (2 letter code) [AU]: Use two characters to enter the country name (example: JP).
-
State or Province Name (full name) [Some-State]: Specify the name of your prefecture (example: Kanagawa).
-
Locality Name (eg, city) []: Specify the name of your city, ward, town, village, or region (example: Odawara).
-
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Specify the name of your organization (example: Hitachi).
-
Organization Unit Name (eg, section) []: Specify the name of your department in the organization (example: ITPD).
-
Common Name (eg, YOUR name) []: Enter any value (not entered in the example).
-
Email Address []: Enter your email address (not entered in the example).
-
A challenge password []: Entry is not necessary.
-
An optional company name []: Entry is not necessary.
$ openssl req -sha256 -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Odawara Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi Organizational Unit Name (eg, section) []:ITPD Common Name (eg, server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
-