I thought I'd run through the procedure of creating a Certificate Signing Request (CSR) for the StorageGRID 11.7 Grid Manager Management interface.
- Useful links:
- Configure management interface certificates [StorageGRID 11.7]
- How to generate a certificate signing request for StorageGRID - NetApp KB
- How to create-generate SSL CA certificate for StorageGRID - NetApp KB
- GitHub - NetApp-StorageGRID/SSL-Certificate-Configuration
- storagegrid-118/admin/configuring-custom-server-certificate-for-grid-manager
Walkthrough
1) Obtain StorageGRID Grid Manager Password.txt
In order to create the CSR we need to use OpenSSL. And we can use OpenSSL on a StorageGRID admin node (runs Debian linux). First we'll need to obtain the Recovery Package (which holds the Passwords.txt file) from StorageGRID Grid Manager.
Maintenance > Recovery Package
2) Login to a StorageGRID admin node over SSH
Login as admin using the password in Passwords.txt
openssl genrsa -out ssl.key 2048
4) Creation of Certificate Signing Request Template
Note: This certificate will apply to all Grid Manager management interfaces on all admin nodes in the grid.
vi ssl.cnf
Below is an example ssl.cnf file contents. Edit the highlighted bits as per your requirements. Also, feel free to add more DNS entries.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = Los Angeles
0.organizationName = Organization Name (eg, company)
0.organizationName_default = ACME
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Storage Team
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = dc1-adm1.acme.com
commonName_max = 64
emailAddress = E-Mail Address
emailAddress_max = 64
emailAddress_default = support@acme.com
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dc1-adm1.acme.com
DNS.2 = dc1-adm2.acme.com
DNS.3 = dc2-adm1.acme.com
DNS.4 = dc2-adm2.acme.com
5) Verification of Certificate Signing Request Template
cat ssl.cnf
6) Creation of Certificate Signing Request
openssl req -new -key ssl.key -out ssl.csr -config ssl.cnf
7) Validation of Certificate Signing Request
openssl req -text -noout -in ssl.csr
8) Copy the CSR
cat ssl.csr
9) Copy the private key
cat ssl.key
10) Submit Certificate Signing Request to a Certificate Authority
To be continued ...
One issue I have come across is multiple short names. I couldn't get it to work in the SAN section of the CNF file (as DNS entries.) This link - https://www.gradenegger.eu/en/more-than-one-common-name-common-name-cn-in-the-certificate - suggests more than one common name is possible (but the field has a default limit of 64 characters, not sure if we can raise this.) To be continued...
ReplyDeleteWe did get it working with shortnames. Discovered the order is important. If your CNF has the SAN entries like this:
DeleteDNS.1 = shortname1
DNS.2 = shortname1.domain.com
DNS.3 = shortname2
DNS.4 = shortname2.domain.com
All is good.
The following is bad:
DNS.1 = shortname1.domain.com
DNS.2 = shortname2.domain.com
DNS.3 = shortname1
DNS.4 = shortname2