After you create a private key and a public key, obtain a signed certificate file for the public key. Three methods are available to obtain signed certificate files.
-
Obtain certificates from the Certificate Authority in your company. (Recommended)
-
Obtain official certificates from a public Certificate Authority such as VeriSign. (Recommended)
-
Create self-signed certificates.
Obtaining certificates from the Certificate Authority in your company
Contact the relevant department in your company for how to obtain server certificates. For the server certificates signed by the Certificate Authority in your company (hereinafter, in-house server certificates), root certificates exist to prove the validity of the server certificates. To enable a secure connection with the VSP One SDS Block, a root certificate must be imported to the client machine that communicates with VSP One SDS Block. Obtain an in-house server certificate and a root certificate. For details about how to import root certificates, see Importing root certificates.
Obtaining official certificates from a public Certificate Authority
To obtain a signed, reliable certificate, send a certificate issue request file (csr file) to a public Certificate Authority such as VeriSign and obtain a signed certificate for a public key (crt file). For details about the procedure for requesting a certificate from a public Certificate Authority, go to the website of the Certificate Authority you want to apply for.
Obtaining this more reliable certificate requires additional cost and more criteria to be met.
When you request a public Certificate Authority to issue a certificate, specify the host name of VSP One SDS Block in the Common Name field.
Obtaining self-signed certificates
You can create a signed certificate for a public key by signing the certificate yourself without asking any Certificate Authority to sign it for you. Use of self-signed certificates is preferable only for testing encrypted connections.
To create a self-signed certificate, run the following command.
Example:
openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt
In this example, the valid period is set to 10,000 days. In addition, when you run the command, the SHA-256 hash algorithm is used.
A server.crt file is created in the folder where you run the command. This server.crt file is the self-signed certificate for the public key.
-
Make sure that you use SHA-256 for the hash algorithm. Do not use MD5 or SHA-1 to avoid security problems.
-
If you use a self-signed certificate, a warning message appears when you try to make an SSL/TLS connection. To make SSL/TLS connections using this certificate, add the option for ignoring warnings.
(Virtual machine) When importing a self-signed certificate with X.509 v3 extended attributes added as a trusted root certificate to a browser, CLI, or maintenance node, you need to set the following attribute values to make the certificate valid for an authority.
-
X509v3 Basic Constraints must be CA:TRUE.
-
The following values must be set (when setting X509v3 Key Usage).
-
Digital Signature
-
Certificate Sign
-
(Bare metal)(Cloud) When importing a self-signed certificate with X.509 v3 extended attributes added as a trusted root certificate to a browser or CLI, you need to set the following attribute values to make the certificate valid for an authority.
-
X509v3 Basic Constraints must be CA:TRUE.
-
The following values must be set (when setting X509v3 Key Usage).
-
Digital Signature
-
Certificate Sign
-