Certificate management

Edit online

You can manage your unique self-signed vSnap certificate in the IBM Storage® Protect Plus environment.

Managing vSnap certificates

Beginning with IBM Storage Protect Plus version 10.1.11, each vSnap generates a unique self-signed certificate during the initial registration or deployment of the vSnap server. The certificate is configured with a hostname that is automatically detected during the initialization.

  • The following hostname are embedded in the certificate by default:
    Common Name (CN)
    This is set to the fully qualified domain name (FQDN) of the vSnap server. Determine the Common name by using the following command:
    hostname --fqdn
    Subject Alternative Names (SAN)
    Determine the Short name and IP address by using the following commands:
    Note: When registering a vSnap in IBM Storage Protect Plus server, the vSnap certificate must be pasted or uploaded. The hostname or IP of the vSnap as entered in the IBM Storage Protect Plus UI must exactly match one of the SANs embedded in the vSnap certificate.
    $ hostname
    $ hostname -I
  • Refer to the inline help on the vSnap server using the following commands:
    $ vsnap system cert show --help
    $ vsnap system cert regenerate --help
  • To view the current certificate in PEM format, use the following command:
    $ vsnap system cert show
    This can be used to obtain the certificate that should be pasted or uploaded in the IBM Storage Protect Plus UI while registering a vSnap.
  • If the existing CN or SAN in the certificate are incorrect, use the following command to regenerate a new self-signed certificate with the correct names.
    $ vsnap system cert regenerate --hostnames <list_of_comma_separated_hostnames> --ipaddrs <optional_list_of_comma_separated_IPs>
    For example: 
    vsnap system cert regenerate --hostnames "vsnap1.example.com,vsnap1" --ipaddrs "10.11.128.1"
  • After regenerating or replacing the certificate, the vSnap API service must be restarted by using the following command:
    $ sudo systemctl restart vsnap-api
  • Check if the new certificate is installed correctly by using the following command:
    $ vsnap system cert show

Using a custom CA-signed certificate

The default self-signed certificate on vSnap can be optionally replaced with a custom CA-signed certificate. You need to make sure that the custom certificate meets the following requirements:
  • Each vSnap must have a unique TLS certificate where the CN (Common Name) or SAN (Subject Alternative Name) matches the hostname or IP address of the vSnap server.
  • The private key that is associated with the certificate must not be encrypted. Hence, the private key must be generated without a passphrase.
  • If the certificate is signed by using a private CA (Certificate Authority), then the full certificate chain must be provided as a single file. The file must contain the vSnap server certificate, followed by the intermediate certificate (if any), followed by the root certificate, with all certificates in the PEM format.
Sample of a single file that contains the full chain:
# vSnap server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
# Intermediate CA certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
# Root CA certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
For example, the single file that contains the full chain can be generated by using the following command:
cat server.crt intermediate.crt root.crt > fullchain.crt
To install the custom certificate, complete the following steps:
  1. Copy the certificate file to the path: /etc/vsnap/ssl/spp-vsnap.crt.

    The default certificate at that path can be overwritten.

  2. Copy the private key file to the path: /etc/vsnap/ssl/spp-vsnap.key.

    The default key at that path can be overwritten.

  3. Restart the vSnap API service that uses the following command:
    sudo systemctl restart vsnap-api

    Wait a few seconds for the restart to complete.

    Use the following command to monitor the status of all services and ensure that the vsnap-api service is in the Active state.

    vsnap_status
  4. Verify the contents of the installed certificate by using the following command:
    vsnap system cert show
After the custom certificate is installed, it must be specified as part of the registration of the vSnap server in IBM Storage Protect Plus. Refer to the following topics for more information: