16 Replies Latest reply: Jan 13, 2016 5:50 AM by Jacob Wilde RSS

    Adding a signed SSL certificate to the Nimble GUI

    Alan Price Adventurer

      Hi all.

      We're just getting our new Nimble finished up and deployed and I was wondering if anybody had any insight into how to add a signed SSL certificate to the Nimble GUI.  I'd like to make the connection trusted and secure rather than adding exceptions to my browser.

       

      Thanks!

        • Re: Adding a signed SSL certificate to the Nimble GUI
          Ben Watson Adventurer

          I, too, have wondered this. Unfortunately I can't offer you a solution, but hoping someone can post one (I'm piggybacking on your question mainly).

          • Re: Adding a signed SSL certificate to the Nimble GUI
            Jeremy Brewer Newbie

            Bump - Looking to see if there is anything new on this.

            • Re: Adding a signed SSL certificate to the Nimble GUI
              Alan Price Adventurer

              I decided to ask support about this since it looks like there's community interest, but no answer.  As of right now, there is no way to add a custom SSL certificate to a CS-series array.  It's in the development queue as RFE #368, so it's being explored.

              • Re: Adding a signed SSL certificate to the Nimble GUI
                Daniel Duffy Adventurer

                It's pretty unbelievable that a publicly-traded company would bring a product to market without a signed SSL cert.  I still have no idea who jetty.mortbay.org is - sounds like a cert for a project that someone started in their garage.  Nimble support confirmed that they have multiple RFEs to fix this and many people have requested they do - yet they still can't say WHEN they'll do it.

                 

                But whatever, until Nimble gets this properly implemented, here is a workaround you can use:

                 

                1. Open IE as "Run as Administrator".
                2. Navigate to Tools > Internet Options
                  > Advanced tab > Deselect the following under Security:
                  * Check for publishers certificate revocation
                  * Check for server certificate revocation*
                  * Warn about certificate address mismatch*
                3. Navigate to the Array UI, go past the security warning, in the login page the address bar has a red box next to it which says Certificate Error. Double click it and install the certificate in the Trusted Root... folder.
                4. Close and open IE and navigate to Array UI. (no security error should be displayed now)
                  • Re: Adding a signed SSL certificate to the Nimble GUI
                    Alan Price Adventurer

                    You're right Daniel, it is very odd that the issue hasn't been addressed yet.  I know when I added my particular feature request I was contacted by the PM team to discuss what kind of options I would want to see for SSL certificate management (import a PFX?  send an online certificate request?  upload private key and certificate files?) but nothing has yet come of that conversation.

                     

                    To address a couple of your points:

                     

                    jetty.mortbay.org is an old reference to the original creators of Jetty, MortBay.  Jetty is the Java-based web and servlet server from Eclipse that Nimble uses to offer up it's interface.  The built-in self-signed certificate is a Jetty default.

                     

                    Your workaround does clear the IE warning but it also disables some critical checkpoints for validating SSL certificates in the entire browser.  IE doesn't provide a method to exempt a certificate on a particular site or for that exact cert, but Firefox does.  I use Firefox for most of my admin work now anyway, and it's especially nice since I can tell it to make the Nimble's exception permanent (but only until the certificate in the Nimble changes, or I change the DNS alias of the array).  I do the same thing with some other picky systems, notably VMware and Cisco.

                     

                    I was hoping to see the SSL certificates fixed in NOS 2.0 but alas, 'twas not to be.  Hopefully sometime very soon, especially for those prospective customers who HAVE to have a signed cert for compliance reasons (like Mark Harrison).

                     

                    Alan

                  • Re: Adding a signed SSL certificate to the Nimble GUI
                    Kent Peacock Newbie

                    A couple of points:

                     

                    1. The 2.1 release has code that generates a new self-signed certificate chain on group setup that replaces the mortbay certificate for use by the webui. There is a CA certificate and a host certificate that contains the group and array FQDNs, as well as management IP addresses. The certificates generated are also stronger than the mortbay one, using 2048 bit RSA keys and SHA hashing..

                    2. There is a mechanism whereby customer generated certificates can be installed on an array with the aid of Nimble support. These certificates will now survive a software upgrade, which was previously not the case.

                    3. Adding the capability to create a CSR, get a signed certificate from the customer's CA, and import it is on the roadmap. We may also support automating the process that support does manually now to import the keys and certificates, and install them.. I can't say when this will be released.

                     

                    The reason this has taken so long, by the way, is that the demand for the feature is relatively small. We have a support-assisted solution, cumbersome as it is, and the burden on support to do this when requested has been negligible.

                     

                    Kent

                    • Re: Adding a signed SSL certificate to the Nimble GUI
                      Rob Butterworth Newbie

                      Any update on this?  I can't add my admin page to my Okta SSO system due to the certificate warnings. 

                        • Re: Adding a signed SSL certificate to the Nimble GUI
                          Alan Price Adventurer

                          Hi Rob.

                          There remains no way to do this as an end-user but you can open a support ticket and have them assist you.  NOS was updated a few months ago to prevent it from erasing custom SSL certificates during an upgrade.  With support's help you can load your own and it will persist.  Also, the support ticket will help continue to show that there is customer demand for this feature.  I need to open a ticket myself to get one installed.

                           

                          Alan

                        • Re: Adding a signed SSL certificate to the Nimble GUI
                          John Fiallos Newbie

                          Bumping for an update.  Are we any closer to being able to do this ourselves?