9 Replies Latest reply: Dec 9, 2016 2:29 AM by Moshe Blumberg RSS

    certificate

    Robert Vilhelmsen Wayfarer
    Visibility: Open to anyone

      Is it possible to install our own certificate when running 3.5.4?

       

      Regards

      Robert

        • Re: certificate
          Moshe Blumberg Adventurer

          Hi Robert, you can use custom certificate with version 3.x

           

          Here is the link to the guide for the install:

          https://infosight.nimblestorage.com/InfoSight/media/cms/active/pubs_CLI_Administration_Guide.whz/eci1438791610546.html

           

          Let me know if you have any questions.

           

          Thanks,

          Moshe.

            • Re: certificate
              Robert Vilhelmsen Wayfarer

              I tried .... I think there is a typo error in the documentation.

               

              cert --gen custom-csr --subject '/C=US/ST=CA/L=San Jose/O=Nimble Storage/OU=Engineering/CN=AF106656' \ --dnslist group-kp-vma.nimblestorage.com,kp-vma.nimblestorage.com

               

              should be?

              cert --gen custom-csr --subject '/C=US/ST=CA/L=San Jose/O=Nimble Storage/OU=Engineering/CN=AF106656\' --dnslist group-kp-vma.nimblestorage.com,kp-vma.nimblestorage.com

               

              Anyway ... running the above command do not output any CA signing request?

                • Re: certificate
                  Moshe Blumberg Adventurer

                  Did you use the same settings as copied above?

                  You should change the CN to your array dns.  >> We need to make sure CN field contains a FQDN.

                   

                   

                  Example:

                   

                   

                   

                   

                  Step 1 :  Create the certificate or CSR

                   

                  NimbleOS $ cert --gen custom-csr --subject '/C=GB/ST=CAM/L=San Jose/O=Nimble Storage/OU=Engineering/CN=ts-emea-01-nimblestorage.com' --dnslist ts-emea-01-nimblestorage.com

                   

                  NOTE :  Modern browsers like to check against the alternate subject name, so adding the dnslist parameter with whatever is the correct FQDN .

                   

                  This will output a CERTIFICATE REQUEST which will look somthing like this:

                   

                  -----BEGIN CERTIFICATE REQUEST-----

                   

                  blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                  blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                  blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                  blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                   

                  -----END CERTIFICATE REQUEST-----

                   

                  Copy that ouput and go through the process the Cetrificate Authoroty uses to generate public keys.

                   

                   

                  Step 2 : Import Custom CA cert into the array.

                   

                  NimbleOS $ cert --import custom-ca

                   

                  Copy the custom-ca certificate and press ^d.

                   

                   

                  Step 3 : Take the CSR generated in step 1 , input to a CA signing request and get the certificate ready to import to array.

                   

                  NimbleOS $ cert --import custom

                   

                  Paste the certificate and press ^d.

                   

                  ---START CERTIFICATE----

                  BlahBlahBlahBlahBlahBlahRootCert

                  BlahBlahBlahBlahBlahBlahBlahBlah

                  BlahBlahBlahBlahBlahBlahBlahBlah

                  BlahBlahBlahBlahBlahBlahBlahBlah

                  ---END CERTIFICATE----

                   

                  ---START CERTIFICATE----

                  BlahBlahBlahBlahBlahBlahIntermed

                  iateCertBlahBlahBlahBlahBlahBlah

                  BlahBlahBlahBlahBlahBlahBlahBlah

                  BlahBlahBlahBlahBlahBlahBlahBlah

                  ---END CERTIFICATE----

                   

                   

                   

                   

                   

                   

                  This works for me.

                  Please feel free to let me know if you have any questions at all.

                   

                  Thanks,

                   

                  Moshe.

                    • Re: certificate
                      Robert Vilhelmsen Wayfarer

                      Got it ... did not configure CN correct.

                       

                      I´m using StartSSL, and i have imported the StartCOM root CA, https://startssl.com/root, and afterwords my own certificate from StartCOM.

                      My certificate gets imported, but I get a error saying, it cannot be verified.

                       

                      cert --list shows:

                      custom-ca:  (Pending) /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

                       

                      I have tried to import StartCOM intermediate CA, but it fails.

                        • Re: certificate
                          Moshe Blumberg Adventurer

                          It could be that you didn't copy the full certs, check out my added notes:

                           

                           

                          Step 1 :  Create the certificate or CSR

                           

                          NimbleOS $ cert --gen custom-csr --subject '/C=GB/ST=CAM/L=San Jose/O=Nimble Storage/OU=Engineering/CN=ts-emea-01-nimblestorage.com' --dnslist ts-emea-01-nimblestorage.com

                           

                          NOTE :  Modern browsers like to check against the alternate subject name, so adding the dnslist parameter with whatever is the correct FQDN .

                           

                          This will output a CERTIFICATE REQUEST which will look somthing like this:

                           

                          -----BEGIN CERTIFICATE REQUEST-----

                           

                          blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                          blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                          blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                          blahblahblahblahblahblahblahblahblahblahblahblahblahblah

                           

                          -----END CERTIFICATE REQUEST-----

                           

                          Copy that ouput and go through the process the Cetrificate Authoroty uses to generate public keys.

                           

                          You might have 3 or more certificates in the chain. You will have a Root Certificate, a Intermediate Certificate and a Server Certificate.

                           

                           

                          Step 2 : Import Custom CA cert into the array.

                           

                          **This command you will take first the Root Certificate, then the Intermediate Certificate and paste it where told in the following command:

                           

                          NimbleOS $ cert --import custom-ca

                           

                          Copy the custom-ca certificate and press ^d.

                           

                           

                           

                           

                           

                          Step 3 : Take the CSR generated in step 1 , input to a CA signing request and get the certificate ready to import to array.

                           

                          **At this point you would take ONLY the Server Certificate and past it in with the command below:

                           

                          NimbleOS $ cert --import custom

                           

                          Paste the certificate and press ^d.

                           

                          ---START CERTIFICATE----

                          BlahBlahBlahBlahBlahBlahRootCert

                          BlahBlahBlahBlahBlahBlahBlahBlah

                          BlahBlahBlahBlahBlahBlahBlahBlah

                          BlahBlahBlahBlahBlahBlahBlahBlah

                          ---END CERTIFICATE----

                           

                          ---START CERTIFICATE----

                          BlahBlahBlahBlahBlahBlahIntermed

                          iateCertBlahBlahBlahBlahBlahBlah

                          BlahBlahBlahBlahBlahBlahBlahBlah

                          BlahBlahBlahBlahBlahBlahBlahBlah

                          ---END CERTIFICATE----

                            • Re: certificate
                              Robert Vilhelmsen Wayfarer

                              I import StartCOM root CA successful with cert--import custom-ca

                               

                              But when I try to import the intermediate startcom certificate with cert --import custom-ca, I get:

                              ERROR: Verify of the custom-ca certficate failed. Please provide a valid CA certificate.

                               

                              The intermediate certificate is:

                              -----BEGIN CERTIFICATE-----

                              MIIF5TCCA82gAwIBAgIQJkO7MqFmSHrhnWx5xD/iZjANBgkqhkiG9w0BAQsFADB9

                              MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi

                              U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh

                              cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1WhcN

                              MzAxMjE2MDEwMDA1WjB4MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g

                              THRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx

                              JjAkBgNVBAMTHVN0YXJ0Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMIIBIjANBgkq

                              hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnL29gjx6E467y4OsHo42TCn1rC7JXUnv

                              epzPE9KLbJiQi63JSLTr/QVGjhWFQBhqwXKlyTyBNGoOuV+yRoimqkPDdV6ZdnIn

                              RwmKAnVhvMVd2WXeqSJtq5STa2nuOnLTwYBnyVsOIo9YdnvFhDXAGjQ3hXWQIq00

                              f43XE8Fik+9EUG/oF7VLlIACAJnhotAj2dR2TvQmyBbEEN2PhLH3WANZklMbao2c

                              sASqSwyOmAB5+35nSagpMYuuVa4ZSnm2EaF8emLxiiFK5InCBZjRG4u+YLrEv7+m

                              KrnHOMVWkOE7mzKxtuHFYW2LRB++eJGLUdn1KiviZDS/ofOhIhfstwIDAQABo4IB

                              ZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF

                              BQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6

                              Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRaMFgwJAYI

                              KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYk

                              aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBSU

                              3oVBKqXZRfZgLC5MkwmmLCN+PjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD

                              0EGu8jA/BgNVHSAEODA2MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3

                              dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4ICAQC16kMuZh8h

                              lVsgzybaIix2qySQFU+rPgqSqeyrDSmJwpDbaKjwakm6LJ2DLX5MRFjNPCh+ArQf

                              CU1UUJa65n7UaQWt6q8kUwifHcIn+fFJdNV3N4zdvlKxwveqBSQZiXeIUO/hHr1U

                              i7Gw6s0On+K0fD9oNcgCRR3vPicB2frK7BhOFje6xowsWexxPfJHI69lCq73O7Ke

                              xXqp/V8f8uGF8L4KU3xW6RDG57RrXh5+LNxUQmZ2tIAaPyHTND5zbxff8Z/ZbgGG

                              HKbsuPkAUIG+bHpq5b6bf2x2NxMhqYSMI+GJJ9FmmiCV+P3+0ywBYGNhJkcFUYvo

                              SUduHz+/RXd6G/ejrvKp58rbZ9iCISLZjpo5gYEfLIl6IQJcZPM8FIWKLKhtIoKX

                              5ctNL3epV4DzIDZxLaSruEBQFeDQj6p/74pUYLQBP523anf6StXBtYgbfImRoIh4

                              I8L85aB/TUyLOJA/sKx/WFrXOxE9K4q+Pf5tq3gzZEchM/btMYn1cw1GPUt4nHya

                              zS52LrP0+Q77ao1Gza9svd8HE1NZ9NIVJO71QskqjxvGiTt048r4gLSXaM1zP2w9

                              nMsIw1IpxXE8h9UHAllgh8oNHno5I9nLfynbEhXxGy9RlfcLN/J8iOqyagfgxrUy

                              DPKMh5xGeLKMQSzjyQ1bV0WGC1JmJp+QDQ==

                              -----END CERTIFICATE-----