Importing signed certificates for an SSL/TLS connection

Virtual Storage Platform One SDS Block System Administrator Guide

Version
1.16.x
Audience
anonymous
Part Number
MK-24VSP1SDS001-03

To enable an SSL/TLS connection to VSP One SDS Block using a certificate, import the applicable private key and a signed certificate for the applicable public key to VSP One SDS Block and update the certificate.

  • Required role: Security

  • The applicable private key must be created beforehand.

  • A signed certificate for the applicable public key must be obtained beforehand.

  • The private key format must be PEM or DER.

  • The format of the signed certificate for the public key must be X509.

  • The passphrase for the private key must be canceled.

  • Server certificates that can be imported are paired with private keys.

  • If you import a server certificate in RSA format, a key length in the range from 1024 to 8192 bits is supported. The recommended key length is 2048 bits or longer. If you import a server certificate in ECC format, you can use one of the following Elliptic Curves: prime256v1, secp384r1, and secp521r1.

Note:
  • The fields in the extended profile of an X.509 certificate support the following fields as specified in RFC 5280:

    • Basic Constraints

    • Key Usage

    • Subject Key Identifier

    • Authority Key Identifier

    • Certificate Policies

    • Subject Alternative Name

    • Name Constraints

    • Policy Constraints

    • Extended Key Usage

    • Inhibit anyPolicy

  • The number of layers in the certificate chain should be no more than 10, including the root CA certificate.

  1. Import the server certificate.

    You can perform this for the cluster master node (primary) only.

    Run either of the following commands with the server certificate file (public key) and the server certificate file (private key) to be transferred to the storage cluster specified.

    REST API: POST /v1/objects/server-certificate/actions/import/invoke

    CLI: server_certificate_import

    Verify the job ID which is displayed after the command is run.

  2. Verify the state of the job.

    Run either of the following commands with the job ID specified.

    REST API: GET /v1/objects/jobs/<jobId>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  3. Verify the server certificate.

    Confirm the requirements in Client requirements for SSL communication. Then, run a REST API or CLI or display a VSP One SDS Block Administrator by using a browser, and then confirm that a security warning* does not appear. If a security warning appears, contact customer support.

    * A security warning is an error message that contains any of the following text.

    "SSL", "TLS", "security certificate", "not protected", "not safe", "server certificate"

    If you are using a VSP One SDS Block Administrator, verify the message (including detailed error information), in the error window of the browser.

  4. (Bare metal) Back up the configuration information.

    Perform this step by referring to Backing up the configuration information (Bare metal).

    If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.

    CAUTION:

    If you want to perform the import again due to an operation error such as importing the wrong server certificate, allow at least 60 seconds between imports to prevent operation conflicts.