Customer defined encryption certificates

You can use a custom encryption certificate in place of the Gen1 and Gen2 certificates.

A customer defined encryption certificate must meet the following requirements:
  • The certificate must have an RSA public/private key pair with a single private key.
  • The certificate must use PKCS12 format.
  • The hashing algorithm must be SHA-256.
  • The public exponent must be 65537 or less.
  • The public key size must be 2048.
  • The "Not Before" date must be before the current date.
  • The "Not After" date must be after the current date.
  • The CN field value must be the storage facility image (SFI) ID for the storage system. For example, CN=2107-75NR699.
  • The UID field value must use the following format: DS8K-SFI_ID. For example, UID=DS8K-2107-75NR699.
  • For KMIP encryption groups that use a certificate user ID for Safenet key server local authentication, the UID field value must use the following format: DS8K-SFI_ID. For example, UID=DS8K-2107-75NR699.

Example of CA signing a certificate

The following example uses the OpenSSL ca command to sign a certificate as a certificate authority (CA). The command uses the openssl.cnf configuration file and uses the usr_cert section of the configuration file as an extension. The certificate will be valid for 365 days and use an SHA-256 signature. The -notext parameter indicates that the command will not create the text form of a certificate. The -in parameter requires the CSR file name that will be signed by the CA. The -out parameter requires the file name of the signed certificate in .pem format.

openssl ca -config openssl.cnf -extensions usr_cert -days 365 
-notext -md sha256 -in CSR_file_name.csr.pem -out signed_file_name.cert.pem

Example of generating a password protected PKCS12 certificate that contains a signed certificate and a private key

The following example uses the OpenSSL pkcs12 command and -export parameter to create a PKCS12 certificate that contains a signed certificate, certificate chain, and a private key. The -in parameter specifies the certificate signed by the CA. The -inkey parameter specifies the private key. The -certfile parameter specifies a certificate chain to include in the PKCS12 certificate. The -out parameter requires the file name of the PKCS12 certificate in .p12 format. The -name parameter specifies a name to associate with the PKCS12 certificate for reference. The pkcs12 command will prompt for a password to use with the certificate when it is imported into the storage system.

openssl pkcs12 -export -in signed_file_name.cert.pem -inkey private_key_name.pem 
-certfile certificate_file_name.cert.pem -out pkcs12_file_name.p12 -name "name"