Certificate management

You can manage your unique self-signed vSnap certificate in the IBM Spectrum® Protect Plus environment.

Managing vSnap certificates

Beginning with IBM Spectrum Protect Plus version 10.1.11, each vSnap generates a unique self-signed certificate during the initial registration or deployment of the vSnap server. The certificate is configured with a hostname that is automatically detected during the initialization.

  • The following hostname are embedded in the certificate by default:
    Common Name (CN)
    This is set to the fully qualified domain name (FQDN) of the vSnap server. Determine the Common name by using the following command:
    hostname --fqdn
    Subject Alternative Names (SAN)
    Determine the Short name and IP address by using the following commands:
    Note: When registering a vSnap in IBM Spectrum Protect Plus server, the vSnap certificate must be pasted or uploaded. The hostname or IP of the vSnap as entered in the IBM Spectrum Protect Plus UI must exactly match one of the SANs embedded in the vSnap certificate.
    $ hostname
    $ hostname -I
  • Refer to the inline help on the vSnap server using the following commands:
    $ vsnap system cert show --help
    $ vsnap system cert regenerate --help
  • To view the current certificate in PEM format, use the following command:
    $ vsnap system cert show
    This can be used to obtain the certificate that should be pasted or uploaded in the IBM Spectrum Protect Plus UI while registering a vSnap.
  • If the existing CN or SAN in the certificate are incorrect, use the following command to regenerate a new self-signed certificate with the correct names.
    $ vsnap system cert regenerate --hostnames <list_of_comma_separated_hostnames> --ipaddrs <optional_list_of_comma_separated_IPs>
    For example: 
    vsnap system cert regenerate --hostnames "vsnap1.example.com,vsnap1" --ipaddrs "10.11.128.1"
  • Alternatively, if you want to use a custom CA-signed certificate, obtain the necessary certificate and key files (in PEM format) and place them at the following locations:
    • The certificate (.crt file) must be placed under /etc/vsnap/ssl/spp-vsnap.crt
    • The private key (.key file) must be placed under /etc/vsnap/ssl/spp-vsnap.key
  • After regenerating or replacing the certificate, the vSnap API service must be restarted by using the following command:
    $ sudo systemctl restart vsnap-api
  • Check if the new certificate is installed correctly by using the following command:
    $ vsnap system cert show