While installing the SSL for 443, I did not add the "selfsign false" at the end. The command did go through successfully and a "keystore show" command does list the certficate.
However, when I now try to access it over a browser, it still defaults to the self signed cert installed earlier. Is there a way to delete the self signed cert and force ECS to use the SSL cert provided by the CA ?coneryj
The certificate should be in .pem base64 fomat.
The RSA key file should start with:
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
or you can verify with:
openssl x509 -in <keyfile> -text
you should append the chain file to your certificate file. This combined file is being referred to as the "certificate chain file"
3)You can use either curl directly or the ecscli command line too to install them:
via curl you'd need to use xml format to have "cat" wouldn't handle the carriage returns properly in .json format)
curl -svk -H "X-SDS-AUTH-TOKEN: $TOKEN" -H "Content-type: application/xml" -H "X-EMC-REST-CLIENT: TRUE" -X PUT -d "<rotate_keycertchain><key_and_certificate><private_key>`cat privateFile.key`</private_key><certificate_chain>`cat certChainFile.pem`</certificate_chain></key_and_certificate></rotate_keycertchain>" https://X.X.X.X:4443/object-cert/keystore
python ecscli.py keystore update -h <host> -p <port ie 4443> -cookiefile <cookiefilename> -certificatevaluefile <filnamewithfullpath> -privatekeyvaluefile <filnamewithfullpath> -selfsign <true or false>
Keep in mind that it can take up to 2 hours for the cert to be distributed. This can be more of an issue when using a load balancer.
If the problem persists you may need to restart the nginx service on the node where you uploaded the cert.