Requesting and installing an externally signed certificate

If your current externally signed certificate expires or is about to expire, you can request a new signed certificate from a third-party certificate authority. The externally signed certificate can be installed by using the management GUI or command line interface (CLI).

Note: Before requesting and installing the certificates, take the following factors into consideration:
  • The certificate signing request must be generated on the system. IBM Storage Virtualize does not support certificate signing requests that are generated outside of the system.
  • The signed certificate must contain the following X509v3 Key Usage extensions: Digital Signature. It must also contain the following X509v3 Extended Key Usage Extensions: TLS Web Server Authentication and TLS Web Client Authentication. Ensure that the Certificate Authority (CA) used to sign the certificate includes these extensions.
  • Updating the certificate logs you out of the current management GUI session, requiring a fresh login. For features that allow chain of trust checking, the secure connection is not interrupted when updating the externally signed certificate.
  • By default, IBM® Security Guardium® Key Lifecycle Manager key servers do not currently enable chain of trust checking with IBM Storage Virtualize. From version 4.2 onwards, this setting can be enabled. Consider enabling this setting if signed certificate chains are used in order to avoid the export of refreshed certificates to the key server.
  • If you are using multifactor authentication with IBM Security Verify, the management GUI are unavailable when you update the certificate. The new externally signed certificate must be exported using the CLI and added as a new signer certificate to IBM Security Verify for successful authentication.

In the management GUI, select Settings > Security > Certificates and select Replace from the overflow menu.

In the Certificates page, select externally signed certificate and complete the form to create a request for a signed certificate for particular use case. The resulting certificate signing request (CSR) should be exported to the third-party certificate authority so that it can be signed. After you receive the externally signed certificate from the third-party certificate authority, use the management GUI or command line interface (CLI) to upload and install the signed certificate on the system.

Using the management GUI

To configure an externally signed certificate, complete these steps:
  1. In the management GUI, select Settings > Security > Certificates.
  2. Click Create and then select the scope of the certificate from the drop-down menu.
  3. Select Externally Signed Certificate for the certificate type.
  4. If you are already using certificates, the Certificate Details are automatically populated. You can update the details. For more information on the certificate details, see step 6 in Updating or creating an internally signed certificate.
  5. Click Generate CSR. This action presents a dialogue window to download the file. Select a location on your local machine to save the file.
  6. If the signing request is generated, you have the option to cancel the outstanding signing request in case of an error. To cancel any outstanding signing request, complete these steps:
    1. Select Settings > Security > Certificates.
    2. Go to specific certificate, select Cancel CSR and click Yes.
  7. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it can take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You can also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
  8. If intermediate CAs are used to sign the certificate request, create a single file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
  9. Go to specific certificate, select Install certificate.
  10. On the Upload Signed Certificate page, select the new signed certificate that you downloaded to your device or laptop.
  11. Click Install. This action uploads the certificate onto the system. For more information, see Export system certificate.
  12. If you are using IBM Security Guardium Key Lifecycle Manager key server, which does not currently support chain of trust checking, export the new system certificate and install it on the key server.
  13. If you are using multifactor authentication with IBM Security Verify, which uses the system certificate as a signer certificate, export the new system certificate and install it as a signer certificate in IBM Security Verify. The management GUI is unavailable until the new certificate is added as a signer certificate to IBM Security Verify.

Using the command-line interface (CLI)

In the command-line interface, enter the following command to create a new certificate request and upload the new certificate:
    • Enter the chsystemcert command to create a new certificate request: (only for default)
      chsystemcert -mkrequest -keytype ecdsa521 -country GB -state Hampshire -locality Hursley -org MYCO -orgunit Storage -commonname svcsystem1.myco.com -email admin@myco.com -subjectalternativename "DNS:test.ibm.com"
    • Enter the mksystemcertstore command to create a new main system certificate request:
      svctask mksystemcertstore -externalsigned -scope default -keytype ecdsa521 -country GB -state Hampshire -locality Hursley -org MYCO -orgunit Storage -commonname svcsystem1.myco.com -email admin@myco.com -subjectalternativename "DNS:test.ibm.com"

    The default certificate request is automatically written to /dumps/certificate.csr. For more information on delimiters, see Updating or creating an internally signed certificate.

  2. Use the Secure Copy (SCP) or SSH File Transfer Protocol (SFTP) to copy the file /dumps/certificate.csr from the system to your local machine. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it may take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You should also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
  3. If the intermediate CA's are used to sign the certificate request, create a single certificate chain file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
  4. Use the SCP or SFTP to copy the certificate back onto the system in the file /dumps/certificate.pem, where certificate.pem is the name of the certificate.
  5. After you copy the signed CA certificate to the system, enter the following command:
    • Using chsystemcert command: (only for default)
      chsystemcert -install -file /dumps/certificate.pem
    • Using chsystemcertstore command:
      chsystemcertstore -install -scope default -file /dumps/certificate.pem
    where /dumps/certificate.pem is the absolute path name of the signed certificate or certificate chain file.
For more information, see the chsystemcert or chsystemcertstore CLI command.