Creating a certificate signing request

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.15.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-02

Use an OpenSSL command to create a certificate signing request.

You can use the same OpenSSL command for both Windows and Linux. Use a console where you can run commands. In Windows, open a command prompt and run the command. In Linux, open a terminal and run the command.

In this section, "Subject Alternative Name" is abbreviated to "SAN".

  1. Copy the OpenSSL settings file to the working folder.
    Note:

    The location of the settings file differs depending on the environment.

    Linux: In many cases, the file is stored in /etc/pki/tls/openssl.cnf.

    Windows: The location of the file differs depending on the settings specified when OpenSSL is installed.

  2. Open the file created in step 1 and add or modify the information according to the following.

    Section name

    Parameter name

    Value

    Description

    req

    req_extensions

    v3_req

    This parameter adds the v3_req section to the certificate signing request settings.

    v3_req

    subjectAltName

    @alt_names

    The system reads the "alt_names" section as the value of the SAN.

    alt_names

    DNS.<number>

    <FQDN-corresponding-to-the-IP address-of-a-storage-node-control-port-and-the-representative-IP address-of-the-storage-cluster>

    The system issues a certificate to the FQDN that corresponds to the IP address of a storage node control port and the representative IP address of the storage cluster.

    For <number> in the parameter name, specify a unique value beginning with 1 in ascending order.

    If the "alt_names" section does not exist, create it in the settings file.

    (Example of setting): Items other than the above are omitted.

    [ req ]
    req_extensions = v3_req
    [ v3_req ]
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 = storage.example.com
    DNS.2 = storage-node2.example.com
    DNS.3 = storage-node2.example.com

    To ensure safe SSL/TLS communications with all storage nodes, we recommend that you use a certificate in which both of the following two items are specified for the SAN, or the subdomain of the following two FQDNs is specified by using a wildcard (*) for the SAN rather than the common name (CN). (Example: *.example.com)

    • FQDN corresponding to the representative IP address (when using the representative IP address)

    • FQDN corresponding to the IP address of a storage node control port

    From version 58 onward, Google Chrome does not support the CN. Therefore, we recommend that you specify the FQDN for the SAN if you use the VSP One SDS Block Administrator.

    For the SAN, we recommend that you register an FQDN because, when you change the IP address of a control port, you only have to change the relevant record in the DNS. If you use the FQDN, you also need to set up a DNS server.

    If you use a wildcard character for the subdomain in each FQDN specified in a server certificate, you do not need to re-create the server certificate when adding or removing storage nodes.

  3. Run the following command.
    openssl req -sha256 -new -key server.key -out server.csr -config <file-created-in-step-2>

    Option

    Description

    req

    Requests creation of a certificate signing request (csr).

    -sha256

    Signature hash algorithm.

    Use an algorithm that is equivalent to SHA-2.

    -key <private-key-file-name>

    Specifies the name of the private key for creating a certificate signing request.

    -out <public-key-file-name>

    The command outputs a certificate signing request file with the specified name. You can assign any name to the certificate signing request file. Usually, use ".csr" as the extension.

    -config <file-created-in-step-2>

    Specifies the name of the settings file that was created in step 2. The information to be registered as the SAN in the certificate is specified in this file.

    CAUTION:

    Use SHA-256 as the hash algorithm. Do not use MD5 or SHA-1 because they might create security problems.

  4. Enter the information, which will be written on the server certificate.
    • Country Name (2 letter code) [AU]: Use two characters to enter the country name (example: JP).

    • State or Province Name (full name) [Some-State]: Specify the name of your prefecture (example: Kanagawa).

    • Locality Name (eg, city) []: Specify the name of your city, ward, town, village, or region (example: Odawara).

    • Organization Name (eg, company) [Internet Widgits Pty Ltd]: Specify the name of your organization (example: Hitachi).

    • Organization Unit Name (eg, section) []: Specify the name of your department in the organization (example: ITPD).

    • Common Name (eg, YOUR name) []: Enter any value (not entered in the example).

    • Email Address []: Enter your email address (not entered in the example).

    • A challenge password []: Entry is not necessary.

    • An optional company name []: Entry is not necessary.

    $ openssl req -sha256 -new -key server.key -out server.csr
    Enter pass phrase for server.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:JP
    State or Province Name (full name) [Some-State]:Kanagawa
    Locality Name (eg, city) []:Odawara
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi
    Organizational Unit Name (eg, section) []:ITPD
    Common Name (eg, server FQDN or YOUR name) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []: