Requesting and installing an externally signed certificate

If your current externally signed certificate expires or is about to expire, you can request a new signed certificate from a third-party certificate authority. The externally signed certificate can be installed by using the management GUI or command line interface (CLI).

Note: Before requesting and installing the certificates, take the following factors into consideration:
  • The certificate signing request must be generated on the system. IBM Storage Virtualize does not support certificate signing requests that are generated outside of the system.
  • The signed certificate must contain the following X509v3 Key Usage extensions: Digital Signature. It must also contain the following X509v3 Extended Key Usage Extensions: TLS Web Server Authentication, TLS Web Client Authentication, Any Extended Key Usage. Ensure that the Certificate Authority (CA) used to sign the certificate includes these extensions.
  • Updating the certificate logs you out of the current management GUI session, requiring a fresh login. For features that allow chain of trust checking, the secure connection is not interrupted when updating the externally signed certificate.
  • By default, IBM® Security Guardium® Key Lifecycle Manager key servers do not currently enable chain of trust checking with IBM Storage Virtualize. From version 4.2 onwards, this setting can be enabled. Consider enabling this setting if signed certificate chains are used in order to avoid the export of refreshed certificates to the key server.
  • If you are using multifactor authentication with IBM Security Verify, the management GUI are unavailable when you update the certificate. The new externally signed certificate must be exported using the CLI and added as a new signer certificate to IBM Security Verify for successful authentication.

In the management GUI, select Settings > Security > System Certificates and select update certificate from the icon menu. In the Update Certificate page, select externally signed certificate and complete the form to create a request for a signed certificate for your system. The resulting certificate signing request (CSR) should be exported to the third-party certificate authority so that it can be signed. After you receive the externally signed certificate from the third-party certificate authority, use the management GUI or command line interface (CLI) to upload and install the signed certificate on the system.

Using the management GUI

To configure an externally signed certificate, complete these steps:
  1. In the management GUI, select Settings > Security > System Certificates.
  2. From the icon menu, select Update Certificate.
  3. In the Update Certificate page, select Certificate type as Externally Signed Certificate.
  4. If you are already using certificates, the Certificate Details are automatically populated. You can update any of the following details:
    Key type
    Select the cryptographic key type that is used to generate the certificate.
    State
    Enter the name of the state where the system requesting the certificate is located.
    City
    Enter the name of the city where the system is located.
    Organization name
    Enter the name of the organization.
    Organizational unit
    Enter the name of organizational unit.
    Common name
    Enter the common name for the certificate.
    Email Address
    Enter the email address.
    Subject alternative name
    Subject alternative name is the hostname of the system.

    Web browsers, and other features that use certificate authentication, require a Subject Alternative Name, which is an extension to the Internet standard for public key certificates. The Subject Alternative Name extension is used to match the domain name and site certificate and can be an email address, an IP address, a URI, or a DNS name. A certificate can contain a collection of these values so that the certificate can be used on multiple sites.

    The Subject Alternative Name field can include the management IP addresses for the cluster or DNS names, the service IP addresses for each node in the cluster or DNS names, and any IP addresses configured for IP replication.

    For example, if the system has a management DNS name of cluster.company.com, and service DNS names of node1.company.com and node2.company.com, enter these values in the Subject Alternate Name field. For multiple values, list each value on a separate line within the box of the Subject Alternate Name field:
    DNS:cluster.company.com 
    DNS:node1.company.com 
    DNS:node2.company.com 
    IP:196.192.0.20
  5. Click Generate Request. This action presents a dialogue window to download the file. Select a location on your local machine to save the file.
  6. If the signing request is generated, you have the option to cancel the outstanding signing request in case of an error. To cancel any outstanding signing request, complete these steps:
    1. Select Settings > Security > System Certificates.
    2. From the icon menu, select Cancel Outstanding Signing Request.
    3. Click Yes.
  7. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it can take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You can also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
  8. If intermediate CAs are used to sign the certificate request, create a single file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
  9. Select Upload Signed Certificate.
  10. On the Upload Signed Certificate page, click Add file to select the new signed certificate that you downloaded to your device or laptop.
  11. Click Upload. This action uploads the certificate onto the system. For more information, see Export certificates.
  12. If you are using IBM Security Guardium Key Lifecycle Manager key server, which does not currently support chain of trust checking, export the new system certificate and install it on the key server.
  13. If you are using multifactor authentication with IBM Security Verify, which uses the system certificate as a signer certificate, export the new system certificate and install it as a signer certificate in IBM Security Verify. The management GUI is unavailable until the new certificate is added as a signer certificate to IBM Security Verify.

Using the command-line interface (CLI)

In the command-line interface, enter the following command to create a new certificate request and upload the new certificate:
  1. Enter the following command to create a new certificate request:
    chsystemcert -mkrequest -keytype ecdsa521 -country GB -state Hampshire -locality Hursley -org MYCO -orgunit Storage -commonname svcsystem1.myco.com -email admin@myco.com -subjectalternativename "DNS:test.ibm.com"

    The certificate request is automatically written to /dumps/certificate.csr.

    For example, to add a DNS name to the Subject Alternative Name extension, include the following parameter in the chsystemcert CLI command: -subjectalternativename "DNS:dns.mysystem.com" For multiple values, use a recommended delimiter to separate each entry for the -subjectalternativename parameter.
    Delimiters can be mixed:
    Table 1. Recommended delimiters
    Delimiter Name Symbol Example
    Space (space) -subjectalternativename "DNS:dns.myco.com IP:1.2.3.20 URI:http:\\www.myco.com email:support@myco.com"
    Comma (,) -subjectalternativename "DNS:dns.myco.com,IP:1.2.3.20,URI:http:\\www.myco.com,email:support@myco.com"
    Semi-colon (;) -subjectalternativename "DNS:dns.myco.com;IP:1.2.3.20;URI:http:\\www.myco.com;email:support@myco.com"
    Newline (for Linux® or UNIX operating systems) (\n) -subjectalternativename "DNS:dns.myco.com\nIP:1.2.3.20\nURI:http:\\www.myco.com\nemail:support@myco.com"
    Tab (for Linux or UNIX operating systems) (\t) -subjectalternativename "DNS:dns.myco.com\tIP:1.2.3.20\tURI:http:\\www.myco.com\temail:support@myco.com"
    Carriage return (for Windows operating systems) (\r) -subjectalternativename "DNS:dns.myco.com\rIP:1.2.3.20\rURI:http:\\www.myco.com\remail:support@myco.com"
    Carriage return with newline (for Windows operating systems) (\r\n) -subjectalternativename "DNS:dns.myco.com\r\nIP:1.2.3.20\r\nURI:http:\\www.myco.com\r\nemail:support@myco.com"
    For more information about supported delimiters, see the chsystemcert CLI command.
  2. Use secure copy (scp) to copy the file /dumps/certificate.csr from the system to your local machine. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it may take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You should also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
  3. If the intermediate CA's are used to sign the certificate request, create a single certificate chain file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
  4. Use secure copy (scp) to copy the certificate back onto the system in the file /dumps/certificate.pem, where certificate.pem is the name of the certificate.
  5. After you copy the signed CA certificate to the system, enter the following command:
    chsystemcert -install -file /dumps/certificate.pem
    where /dumps/certificate.pem is the absolute path name of the signed certificate or certificate chain file.