Certificate management
You can manage your unique self-signed vSnap certificate in the IBM Spectrum® Protect Plus environment.
Managing vSnap certificates
Beginning with IBM Spectrum Protect Plus version 10.1.11, each vSnap generates a unique self-signed certificate during the initial registration or deployment of the vSnap server. The certificate is configured with a hostname that is automatically detected during the initialization.
- The following hostname are embedded in the certificate by default:
- Common Name (CN)
- This is set to the fully qualified domain name (FQDN) of the vSnap server. Determine the
Common name by using the following
command:
hostname --fqdn
- Subject Alternative Names (SAN)
- Determine the Short name and IP address by using
the following commands:Note: When registering a vSnap in IBM Spectrum Protect Plus server, the vSnap certificate must be pasted or uploaded. The hostname or IP of the vSnap as entered in the IBM Spectrum Protect Plus UI must exactly match one of the SANs embedded in the vSnap certificate.
$ hostname
$ hostname -I
- Refer to the inline help on the vSnap server using the following
commands:
$ vsnap system cert show --help
$ vsnap system cert regenerate --help
- To view the current certificate in PEM format, use the following
command:
This can be used to obtain the certificate that should be pasted or uploaded in the IBM Spectrum Protect Plus UI while registering a vSnap.$ vsnap system cert show
- If the existing CN or SAN in the certificate are incorrect, use the following command to
regenerate a new self-signed certificate with the correct
names.
For example:$ vsnap system cert regenerate --hostnames <list_of_comma_separated_hostnames> --ipaddrs <optional_list_of_comma_separated_IPs>
vsnap system cert regenerate --hostnames "vsnap1.example.com,vsnap1" --ipaddrs "10.11.128.1"
- Alternatively, if you want to use a custom CA-signed certificate, obtain the necessary
certificate and key files (in PEM format) and place them at the following locations:
- The certificate (.crt file) must be placed under /etc/vsnap/ssl/spp-vsnap.crt
- The private key (.key file) must be placed under /etc/vsnap/ssl/spp-vsnap.key
- After regenerating or replacing the certificate, the vSnap API service must be restarted by
using the following command:
$ sudo systemctl restart vsnap-api
- Check if the new certificate is installed correctly by using the following
command:
$ vsnap system cert show