Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

ablomgren

9 Posts

3109

April 13th, 2010 05:00

Custom certificate for Celerra Manager

Hi,

How do I install a custom certificate for the Celerra Manager web page? My browsing through the docs so far only talk about the personas and CA certificates installed on a data mover.

I'd like like to generate a new certificate signed from our own trusted pki structure.

Regards,

Anders

Anonymous

5 Practitioner

 • 

274.2K Posts

April 13th, 2010 09:00

You are right, the process to install a custom SSL certificate is not well documented. But I have completed the process a couple of times and differs between 5.5 and 5.6. But, here is the process for 5.6 NAS code.

To install a custom SSL certificate signed by the local Certificate Authority, you will need to modify "/nas/http/conf/celerrassl.cnf" on the Control Station.

  • Backup celerrassl.cnf

cp /nas/http/conf/celerrassl.cnf /home/nasadmin/celerrassl.cnf.bak

  • Edit celerrassl.cnf replacing the variables with the desired settings.

IP_ADDR =

HOSTNAME_LONG =

HOSTNAME_SHORT=

  • create a certificate request using the current key and the edited celerrassl.cnf file

/usr/bin/openssl req -new -key /nas/http/conf/current.key -config /nas/http/conf/celerrassl.cnf -out /home/nasadmin/cert_request

  • Submit the lines between --- BEGIN CERTIFICATE REQUEST --- and --- END CERTIFICATE REQUEST --- from the file "cert_request" to your local Certificate Authority.

cat /home/nasadmin/cert_request

  • Once you get a signed certificate (base-64 version), upload to the Control Station and keep in a safe place such as /nas/http/conf/ssl.crt/.
  • Update the symlinks to point to the new certificate

ln -s /nas/http/conf/ssl.crt/ssl_custom_cert /nas/http/conf/current.crt

  • Restart Apache to use the new certificate

If all goes well, you should see the locked symbol in the browser when you connect to Celerra Manager. Otherwise, Celerra will generate a new certificate and use it instead.

dynamox

2 Intern

 • 

20.4K Posts

April 13th, 2010 09:00

Welcome to the forum Aaron, nice to have former IDE here

ablomgren

9 Posts

April 14th, 2010 00:00

Thanks a bunch! Now I just have to figure out which init script you use for apache... if that takes too long I'll just reboot the control station.

This should be in the official documentation.

-Anders

Anonymous

5 Practitioner

 • 

274.2K Posts

April 14th, 2010 08:00

I usually kill the Apache root process. In 5.6 NAS code If apache is killed, it will be restarted automatically.

Try,

/bin/kill -TERM `cat /nas/http/logs/start_apache.pid`

Rafter81

6 Posts

May 12th, 2010 08:00

Hi guys, this is something I've been looking for..

How about creating a certificate signed by a external third party CA?

Do need to import root certificates?

Cheers!

Anonymous

5 Practitioner

 • 

274.2K Posts

May 12th, 2010 08:00

For the control station, it is the same process for the external third party CA.  No need to import a root certificate to the control station because the browser takes care of the verification to the CA just need the signed certificate.

Control Station looks like any other Apache server with a signed SSL certificate.

Now, if you want to implement PKI on the datamovers that is a different story. You can find more information in the Celerra Docs under Security.

umichklewis_ac7b91

300 Posts

May 17th, 2011 11:00

I've used these same instructions to accept a third-party cert.  Works great!  However, if you have dual control stations and failover between CS0 and CS1, the CS automatically generates the default cert and starts using it!  How do we disable the automatic cert generation and stick with the custom, third-party cert?

Karl

View More

View All

No Events found!

Top