[StorageGRID][11.7] Creating a CSR for Grid Manager Management Interface

I thought I'd run through the procedure of creating a Certificate Signing Request (CSR) for the StorageGRID 11.7 Grid Manager Management interface.

Walkthrough

1) Obtain StorageGRID Grid Manager Password.txt

In order to create the CSR we need to use OpenSSL. And we can use OpenSSL on a StorageGRID admin node (runs Debian linux). First we'll need to obtain the Recovery Package (which holds the Passwords.txt file) from StorageGRID Grid Manager.

Maintenance > Recovery Package


2) Login to a StorageGRID admin node over SSH

Login as admin using the password in Passwords.txt


3) Create an SSL key

openssl genrsa -out ssl.key 2048

4) Creation of Certificate Signing Request Template

Note: This certificate will apply to all Grid Manager management interfaces on all admin nodes in the grid.

vi ssl.cnf

Below is an example ssl.cnf file contents. Edit the highlighted bits as per your requirements. Also, feel free to add more DNS entries.

[req]
distinguished_name              = req_distinguished_name
req_extensions                  = v3_req
[req_distinguished_name]
countryName                     = Country Name (2 letter code)
countryName_default             = US
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California
localityName                    = Locality Name (eg, city)
localityName_default            = Los Angeles
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = ACME
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Storage Team
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = dc1-adm1.acme.com
commonName_max                  = 64
emailAddress                    = E-Mail Address
emailAddress_max                = 64
emailAddress_default            = support@acme.com
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dc1-adm1.acme.com
DNS.2 = dc1-adm2.acme.com
DNS.3 = dc2-adm1.acme.com
DNS.4 = dc2-adm2.acme.com

5) Verification of Certificate Signing Request Template

cat ssl.cnf

6) Creation of Certificate Signing Request

openssl req -new -key ssl.key -out ssl.csr -config ssl.cnf

7) Validation of Certificate Signing Request

openssl req -text -noout -in ssl.csr

8) Copy the CSR

cat ssl.csr

9) Copy the private key

cat ssl.key

10) Submit Certificate Signing Request to a Certificate Authority

To be continued ...

Comments

  1. One issue I have come across is multiple short names. I couldn't get it to work in the SAN section of the CNF file (as DNS entries.) This link - https://www.gradenegger.eu/en/more-than-one-common-name-common-name-cn-in-the-certificate - suggests more than one common name is possible (but the field has a default limit of 64 characters, not sure if we can raise this.) To be continued...

    ReplyDelete
    Replies
    1. We did get it working with shortnames. Discovered the order is important. If your CNF has the SAN entries like this:

      DNS.1 = shortname1
      DNS.2 = shortname1.domain.com
      DNS.3 = shortname2
      DNS.4 = shortname2.domain.com

      All is good.

      The following is bad:

      DNS.1 = shortname1.domain.com
      DNS.2 = shortname2.domain.com
      DNS.3 = shortname1
      DNS.4 = shortname2

      Delete

Post a Comment