Customer defined encryption certificates

You can use a custom encryption certificate in place of the Gen2 or Gen3 certificates.

A customer defined encryption certificate must meet the following requirements:
  • The certificate must have an RSA public/private key pair with a single private key.
  • The certificate must use PKCS12 format.
  • One of the following is required:
    • The hashing algorithm must be SHA-256 with a public key size of 2048.
    • The hashing algorithm must be SHA-512 with a public key size of 4096.
  • The public exponent must be 65537 or less.
  • The "Not Before" date must be before the current date.
  • The "Not After" date must be after the current date.
  • The CN field value must be the storage facility image (SFI) ID for the storage system. For example, CN=2107-75NR699.
  • The UID field value must use the following format: DS8K-SFI_ID. For example, UID=DS8K-2107-75NR699.
  • For KMIP encryption groups that use a certificate user ID for Safenet key server local authentication, the UID field value must use the following format: DS8K-SFI_ID. For example, UID=DS8K-2107-75NR699.
  • For IBM® Fibre Channel Endpoint Security, the Subject Alternative Name (subjectAltName) must contain an otherName field that includes the object identifier (OID) 1.2.840.114402.1.1.1, an encoding type, and the worldwide node name (WWNN) of the storage system in hexadecimal format. For example: otherName=1.2.840.114402.1.1.1;UTF8:AB:CD:EF:01:23:45:67:89.

    To find the WWNN of a storage system, use the LSSI command from the DS CLI interface.

  • The certificate serial number must be unique.

Example of customer defined encryption certificate request

The following example uses the OpenSSL req command to create a customer defined Certificate Signing Request (CSR) that uses an SHA-256 signature with a public key size of 2048. The -out parameter requires the output CSR file name, and the -keyout parameter requires the output key file name. The CN and UID fields use values that identify the DS8000® storage system. Note the otherName field (for use with IBM Fibre Channel Endpoint Security) that includes the OID, encoding, and WWNN for the storage system.

After the CSR file is created, you can get it signed by the certificate authority (CA) of your choice, which will result in a signed x509 certificate. You can then use OpenSSL to further combine the x509 certificate and the private key to generate a PKCS12 certificate.

openssl req -new -sha256 -nodes -out certificate_file_name.csr -newkey rsa:2048 
-keyout key_file_name.key -config <(
 cat << EOF
 [req]
 default_bits = 2048
 prompt = no
 default_md = sha256
 req_extensions = req_ext
 distinguished_name = dn

 [ dn ]
 C = country_name
 O = organizational_name
 CN = 2107-75HTC11
 UID = DS8K-2107-75HTC11

 [ req_ext ]
 subjectAltName = @alt_names

 [ alt_names ]
 otherName = 1.2.840.114402.1.1.1;UTF8:AB:CD:EF:01:23:45:67:89
EOF
)

Example of CA signing a certificate

The following example uses the OpenSSL ca command to sign a certificate as a certificate authority (CA). The command uses the openssl.cnf configuration file and uses the usr_cert section of the configuration file as an extension. The certificate will be valid for 365 days and use an SHA-256 signature. The -notext parameter indicates that the command will not create the text form of a certificate. The -in parameter requires the CSR file name that will be signed by the CA. The -out parameter requires the file name of the signed certificate in .pem format.

openssl ca -config openssl.cnf -extensions usr_cert -days 365 
-notext -md sha256 -in CSR_file_name.csr.pem -out signed_file_name.cert.pem

Example of generating a password protected PKCS12 certificate that contains a signed certificate and a private key

The following example uses the OpenSSL pkcs12 command and -export parameter to create a PKCS12 certificate that contains a signed certificate, certificate chain, and a private key. The -in parameter specifies the certificate signed by the CA. The -inkey parameter specifies the private key. The -certfile parameter specifies a certificate chain to include in the PKCS12 certificate. The -out parameter requires the file name of the PKCS12 certificate in .p12 format. The -name parameter specifies a name to associate with the PKCS12 certificate for reference. The pkcs12 command will prompt for a password to use with the certificate when it is imported into the storage system.

openssl pkcs12 -export -in signed_file_name.cert.pem -inkey private_key_name.pem 
-certfile certificate_file_name.cert.pem -out pkcs12_file_name.p12 -name "name"