System Certificates

To ensure secure communication between systems, applications, and browsers, IBM Storage FlashSystem allows you to manage system certificates using either the command-line interface (CLI) or the management GUI.

System certificates authenticate the FlashSystem to other devices and applications, enabling encrypted and trusted communication. Depending on the security needs, you can choose between:
  • Internally signed certificates (simpler, auto-renewable)
  • Externally signed certificates (trusted by public CAs, manually managed)

Certificate signing options

Internally signed certificate
  • Use case: Ideal for internal environments or where ease of management is key.
  • How it works: FlashSystem includes a built-in root Certificate Authority (CA) from version 8.5.3 onward.
  • Benefits:
    • Automatically created during system setup.
    • Can be auto-renewed, preventing expiry-related disruptions.
    • Root certificate can be exported and added to truststore for browsers, key servers (Generic KMIP servers) and other devices.
  • Limitations: Only trusted within environments where the root certificate is manually added.
Note: FlashSystem uses a built-in root CA to sign multiple system certificates for different purposes (web access, key server, internal communication). The root certificate is the trust anchor, while system certificates are scoped for specific functions.
Externally signed certificate
  • Use case: Best for public-facing systems or when compliance requires third-party trust.
  • How it works: You generate a Certificate Signing Request (CSR) and submit it to a public or enterprise CA.
  • Benefits: Trusted by most browsers and external systems.
  • Limitations:
    • Manual renewal required before expiry.
    • System alerts you 30 days before expiration.

Understanding the certificate types

Root certificate
  • Generated during first boot (version 8.5.3 and above).
  • Shared across all nodes in a system.
  • Cannot be modified by users.
  • Valid for 20 years, using a 4096-bit RSA key.
  • Distinguished Name (DN) format:
    • O: International Business Machines Corporation
    • OU: IBM Storage Virtualize Root CA
    • CN: Serial number of the configuration node
System certificate
  • Signed by:
    • Internal root CA
    • External CA
  • Presented to:
    • Web browsers
    • Key servers
    • Internal communication modules
  • Supported key types:
    • RSA 2048 / RSA 4096
    • ECDSA 384 / ECDSA 521
  • SSL protocol level 4:
    • Does not support RSA key exchange.
    • Use ECDSA if SSL level 4 is required.

Certificate scope values

Each system certificate has a scope ID that defines its purpose:
Table 1. System certificate scope values
Scope ID Use case Description
0 Default Used for web browser access, key servers, and general system authentication.
1 Key server Specifically for communication with KMIP-compatible key servers.
3 Internal communication Used for internal communication purpose, such as certificate for FlashSystem grid and partnership with remote system.
Best practices
  • Use internally signed certificates for ease of management in closed environments.
  • Use externally signed certificates when interoperability or compliance with external systems is required.